LoFP / network operator may disable this feature of windows but not so common.

Techniques

• T1562
• T1562.001

Sample rules

Disable AMSI Through Registry

• source: splunk
• technicques:
  • T1562.001
  • T1562

Description

The following analytic detects modifications to the Windows registry that disable the Antimalware Scan Interface (AMSI) by setting the “AmsiEnable” value to “0x00000000”. This detection leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path “*\SOFTWARE\Microsoft\Windows Script\Settings\AmsiEnable”. Disabling AMSI is significant as it is a common technique used by ransomware, Remote Access Trojans (RATs), and Advanced Persistent Threats (APTs) to evade detection and impair defenses. If confirmed malicious, this activity could allow attackers to execute payloads with minimal alerts, leading to potential system compromise and data exfiltration.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows Script\\Settings\\AmsiEnable" Registry.registry_value_data = "0x00000000") BY Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user 
| `drop_dm_object_name(Registry)` 
| where isnotnull(registry_value_data) 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `disable_amsi_through_registry_filter`

Disable ETW Through Registry

• source: splunk
• technicques:
  • T1562.001
  • T1562

Description

The following analytic detects modifications to the registry that disable the Event Tracing for Windows (ETW) feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path “*\SOFTWARE\Microsoft\.NETFramework\ETWEnabled” with a value set to “0x00000000”. This activity is significant because disabling ETW can allow attackers to evade detection mechanisms, making it harder for security tools to monitor malicious activities. If confirmed malicious, this could enable attackers to execute payloads with minimal alerts, impairing defenses and potentially leading to further compromise of the system.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled" Registry.registry_value_data = "0x00000000") BY Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid 
| `drop_dm_object_name(Registry)` 
| where isnotnull(registry_value_data) 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `disable_etw_through_registry_filter`