Modification of AmsiEnable Registry Key | Elastic Security Solution [7.16]

IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› › ›

« Mimikatz Memssp Log File Detected Modification of Boot Configuration »

Modification of AmsiEnable Registry Keyedit

JScript tries to query the AmsiEnable registry key from the HKEY_USERS registry hive before initializing Antimalware Scan Interface (AMSI). If this key is set to 0, AMSI is not enabled for the JScript process. An adversary can modify this key to disable AMSI protections.

Rule type: eql

Rule indices:

winlogbeat-*
logs-endpoint.events.*
logs-windows.*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Elastic
Host
Windows
Threat Detection
Defense Evasion

Version: 2 (version history)

Added (Elastic Stack release): 7.14.0

Last modified (Elastic Stack release): 7.15.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule queryedit

registry where event.type in ("creation", "change") and
registry.path: "HKEY_USERS\\*\\Software\\Microsoft\\Windows
Script\\Settings\\AmsiEnable" and registry.data.strings: "0"

Threat mappingedit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Impair Defenses
- ID: T1562
- Reference URL: https://attack.mitre.org/techniques/T1562/

Rule version historyedit

Version 2 (7.15.0 release)

Formatting only

« Mimikatz Memssp Log File Detected Modification of Boot Configuration »