T1562.001 Impair Defenses Removal Of AMSI Provider Registry Keys

T1562.001 - Impair Defenses: Removal Of AMSI Provider Registry Keys

DESCRIPTION

Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.\ Credit(s): frack113

Example:

Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse

Related

Ransomware, Persistence

Reference:

https://github.com/SigmaHQ/sigma/blob/8d28609c041867e1cea7821900e43c0106e6c766/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
https://seclists.org/fulldisclosure/2020/Mar/45

ATT&CK TACTICS

T1562.001 - Impair Defenses: Disable or Modify Tools

Data Source(s): Windows Registry

SENTINEL RULE QUERY

let exclusion_defender= dynamic([@'c:\programdata\microsoft\windows defender',@'c:\program files\windows defender']); //Exclude activities from Microsoft Defender itself
DeviceRegistryEvents
| where ActionType == "RegistryKeyDeleted"
| where not(InitiatingProcessFolderPath has_any(exclusion_defender) and InitiatingProcessFileName == "msmpeng.exe") and (PreviousRegistryKey endswith '{2781761E-28E0-4109-99FE-B9D127C57AFE}' or PreviousRegistryKey endswith '{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}')

Triage

1. Inspect if the activity is expected and approved. It may be performed by an admin or a service

FalsePositive

1. Unlikely

VERSION

Version 1.0 (date: 31/10/2023)