Skip to content

Hide Navigation Hide TOC

Windows AMSI Related Registry Tampering Via CommandLine (7dbbcac2-57a0-45ac-b306-ff30a8bd2981)

Detects tampering of AMSI (Anti-Malware Scan Interface) related registry values via command line tools such as reg.exe or PowerShell. AMSI provides a generic interface for applications and services to integrate with antimalware products. Adversaries may disable AMSI to evade detection of malicious scripts and code execution.

Cluster A Galaxy A Cluster B Galaxy B Level
Windows AMSI Related Registry Tampering Via CommandLine (7dbbcac2-57a0-45ac-b306-ff30a8bd2981) Sigma-Rules Indicator Blocking - T1562.006 (74d2a63f-3c7b-4852-92da-02d8fbab16da) Attack Pattern 1
Windows AMSI Related Registry Tampering Via CommandLine (7dbbcac2-57a0-45ac-b306-ff30a8bd2981) Sigma-Rules Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 1
Indicator Blocking - T1562.006 (74d2a63f-3c7b-4852-92da-02d8fbab16da) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2