Techniques
Sample rules
Potential Persistence Via New AMSI Providers - Registry
- source: sigma
- technicques:
Description
Detects when an attacker registers a new AMSI provider in order to achieve persistence
Detection logic
condition: selection and not filter
filter:
Image|startswith:
- C:\Windows\System32\
- C:\Program Files\
- C:\Program Files (x86)\
selection:
EventType: CreateKey
TargetObject|contains:
- \SOFTWARE\Microsoft\AMSI\Providers\
- \SOFTWARE\WOW6432Node\Microsoft\AMSI\Providers\