T1562.001 Impair Defenses AMSIBypass

T1562.001 - Impair Defenses: Disable or Modify Tools - AMSI Bypass attack¶

DESCRIPTION¶

This query detects attempts to disable AMSI (Antimalware Scripting Interface) in the command line. It is possible to bypass AMSI by disabling it before loading the main payload.

Example:

[Ref].Assembly.GetType(‘System.Management.Automation.Am’+’siUtils’).GetField(‘amsiInitFailed’,’NonPublic,Static’).SetValue($null,$true)

Related

NA

Reference:

https://github.com/SigmaHQ/sigma/blob/8d28609c041867e1cea7821900e43c0106e6c766/deprecated/windows/proc_creation_win_powershell_amsi_bypass_pattern_nov22.yml

ATT&CK TACTICS¶

T1562.001 - Impair Defenses: Disable or Modify Tools

Data Source(s): Command

SENTINEL RULE QUERY¶

1 2	`let c1 = dynamic(['Assembly.GetType','SetValue']); find where InitiatingProcessCommandLine has_all (c1) or CommandLine has_all (c1)`

Triage¶

Inspect if the activity if it is expected and approved performed by an admin or a service

VERSION¶

Version 1.0 (date: 10/07/2023)