new: AMSI Disabled via Registry Modification

regression_data/rules/windows/process_creation/proc_creation_win_amsi_disable/7dbbcac2-57a0-45ac-b306-ff30a8bd2981.json

@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-12-25T14:30:27.369114Z"
+        }
+      },
+      "EventRecordID": 16094,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3208,
+          "ThreadID": 1724
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2025-12-25 14:30:27.352",
+      "ProcessGuid": "0197231E-4A83-694D-9E0E-000000000800",
+      "ProcessId": 14144,
+      "Image": "C:\\Windows\\System32\\reg.exe",
+      "FileVersion": "10.0.26100.1 (WinBuild.160101.0800)",
+      "Description": "Registry Console Tool",
+      "Product": "Microsoft® Windows® Operating System",
+      "Company": "Microsoft Corporation",
+      "OriginalFileName": "reg.exe",
+      "CommandLine": "\"C:\\WINDOWS\\system32\\reg.exe\" add \"HKCU\\Software\\Microsoft\\Windows Script\\Settings\" /v AmsiEnable /t REG_DWORD /d 0 /f",
+      "CurrentDirectory": "C:\\WINDOWS\\system32\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-AB9F-67AA-4C14-030000000000",
+      "LogonId": "0x3144c",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "High",
+      "Hashes": "MD5=573EB13AC2BA31E9C2E17FB6DAD14154,SHA256=E295E776FD4F7F73DFAAA5698A19EA7A2F4A2F0C5E1681FAC94E45D00296C926,IMPHASH=A26BCB048DF34CBB422F2656F38634D0",
+      "ParentProcessGuid": "0197231E-EC48-694C-AA0C-000000000800",
+      "ParentProcessId": 12456,
+      "ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
+      "ParentCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}

regression_data/rules/windows/process_creation/proc_creation_win_amsi_disable/info.yml

@@ -0,0 +1,13 @@
+id: 242d26e0-1ce5-4a34-960d-144f34f60e37
+description: N/A
+date: 2025-12-25
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 7dbbcac2-57a0-45ac-b306-ff30a8bd2981
+      title: Windows AMSI Disabled
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creation_win_amsi_disable/7dbbcac2-57a0-45ac-b306-ff30a8bd2981.evtx

regression_data/rules/windows/registry/registry_set/registry_set_amsi_disable/aa37cbb0-da36-42cb-a90f-fdf216fc7467.json

@@ -0,0 +1,52 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 13,
+      "Version": 2,
+      "Level": 4,
+      "Task": 13,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-12-25T10:58:31.890479Z"
+        }
+      },
+      "EventRecordID": 16031,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3208,
+          "ThreadID": 1724
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "EventType": "SetValue",
+      "UtcTime": "2025-12-25 10:58:31.888",
+      "ProcessGuid": "0197231E-EC48-694C-AA0C-000000000800",
+      "ProcessId": 12456,
+      "Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
+      "TargetObject": "HKU\\S-1-5-21-2555720767-1205513275-3893774561-1001\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable",
+      "Details": "DWORD (0x00000000)",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}

regression_data/rules/windows/registry/registry_set/registry_set_amsi_disable/info.yml

@@ -0,0 +1,13 @@
+id: a02685df-b4dd-4f5b-b120-9127e1662022
+description: N/A
+date: 2025-12-25
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: aa37cbb0-da36-42cb-a90f-fdf216fc7467
+      title: AMSI Disabled via Registry Modification
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/registry/registry_set/registry_set_amsi_disable/aa37cbb0-da36-42cb-a90f-fdf216fc7467.evtx

rules/windows/process_creation/proc_creation_win_amsi_disable.yml

@@ -0,0 +1,53 @@
+title: Windows AMSI Disabled
+id: 7dbbcac2-57a0-45ac-b306-ff30a8bd2981
+related:
+    - id: aa37cbb0-da36-42cb-a90f-fdf216fc7467 # AMSI Disabled via Registry Modification
+      type: similar
+status: experimental
+description: |
+    Detects attempts to disable Windows Antimalware Scan Interface (AMSI) by modifying the AmsiEnable registry value to 0.
+    AMSI provides a generic interface for applications and services to integrate with antimalware products.
+    Adversaries may disable AMSI to evade detection of malicious scripts and code execution.
+references:
+    - https://github.com/arttoolkit/arttoolkit.github.io/blob/16d6230d009e58fd6f773f5317fd4d14c1f26004/_wadcoms/AMSI-Bypass-Jscript_amsienable.md
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-12-25
+tags:
+    - attack.defense-evasion
+    - attack.t1562.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_key:
+        CommandLine|contains|all:
+            - '\Software\Microsoft\Windows Script\Settings'
+            - 'AmsiEnable'
+            - 'DWORD'
+            - '0'
+    selection_reg_img:
+        - Image|endswith: '\reg.exe'
+        - OriginalFileName: 'reg.exe'
+    selection_reg_cmd:
+        CommandLine|contains: 'add'
+    selection_powershell_img:
+        - Image|endswith:
+              - '\powershell.exe'
+              - '\pwsh.exe'
+        - OriginalFileName:
+              - 'PowerShell.EXE'
+              - 'pwsh.dll'
+    selection_powershell_cmd:
+        CommandLine|contains:
+            - 'Set-ItemProperty'
+            - 'New-ItemProperty'
+            - 'sp '
+    filter_main_enable:
+        CommandLine|contains:
+            - '01'
+            - '0x1'
+    condition: selection_key and (all of selection_powershell_* or all of selection_reg_*) and not 1 of filter_main_*
+falsepositives:
+    - Unknown
+level: high
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_amsi_disable/info.yml

rules/windows/registry/registry_set/registry_set_amsi_disable.yml

@@ -0,0 +1,35 @@
+title: AMSI Disabled via Registry Modification
+id: aa37cbb0-da36-42cb-a90f-fdf216fc7467
+related:
+    - id: 7dbbcac2-57a0-45ac-b306-ff30a8bd2981 # Windows AMSI Disabled
+      type: similar
+status: experimental
+description: |
+    Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value.
+    Anti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications and services to integrate with anti-malware products for enhanced protection against malicious content.
+    Adversaries may attempt to disable AMSI to evade detection by security software, allowing them to execute malicious scripts or code without being scanned.
+references:
+    - https://mostafayahiax.medium.com/hunting-for-amsi-bypassing-methods-9886dda0bf9d
+    - https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal"
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-12-25
+tags:
+    - attack.defense-evasion
+    - attack.t1562.001
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        TargetObject|endswith: '\Software\Microsoft\Windows Script\Settings\AmsiEnable'
+        Details: 'DWORD (0x00000000)'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
+regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_amsi_disable/info.yml
+simulation:
+    - type: atomic-red-team
+      name: AMSI Bypass - Create AMSIEnable Reg Key
+      technique: T1562.001
+      atomic_guid: 728eca7b-0444-4f6f-ac36-437e3d751dc0