Skip to content

Hide Navigation Hide TOC

AMSI Disabled via Registry Modification (aa37cbb0-da36-42cb-a90f-fdf216fc7467)

Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value. Anti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications and services to integrate with anti-malware products for enhanced protection against malicious content. Adversaries may attempt to disable AMSI to evade detection by security software, allowing them to execute malicious scripts or code without being scanned.

Cluster A Galaxy A Cluster B Galaxy B Level
Indicator Blocking - T1562.006 (74d2a63f-3c7b-4852-92da-02d8fbab16da) Attack Pattern AMSI Disabled via Registry Modification (aa37cbb0-da36-42cb-a90f-fdf216fc7467) Sigma-Rules 1
AMSI Disabled via Registry Modification (aa37cbb0-da36-42cb-a90f-fdf216fc7467) Sigma-Rules Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 1
Indicator Blocking - T1562.006 (74d2a63f-3c7b-4852-92da-02d8fbab16da) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2