Skip to content

Hide Navigation Hide TOC

Potential AMSI COM Server Hijacking (160d2780-31f7-4922-8b3a-efce30e63e96)

Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless

Cluster A Galaxy A Cluster B Galaxy B Level
Potential AMSI COM Server Hijacking (160d2780-31f7-4922-8b3a-efce30e63e96) Sigma-Rules Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 1
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2