AMSI Enable Registry Key Modification for Defense Evasion

Attackers can disable the Antimalware Scan Interface (AMSI) to evade detection by modifying the AmsiEnable registry key. This technique is commonly employed to execute malicious scripts without triggering security warnings or blocks. The AMSI, a Windows feature, allows applications and services to request the scanning of potentially malicious content (e.g., PowerShell scripts, JScript) before execution. By setting the AmsiEnable value to 0, an attacker can disable AMSI for the current user, effectively bypassing real-time script scanning. This action is often a precursor to deploying further malicious payloads or establishing persistence on a compromised system. This behavior has been observed since at least 2019 and continues to be a relevant defense evasion technique.

Attack Chain

1. An attacker gains initial access to the target system, possibly through phishing or exploiting a vulnerability.
2. The attacker executes a script or binary that attempts to modify the AmsiEnable registry key.
3. The script or binary uses reg.exe, PowerShell, or another tool to set the AmsiEnable registry value to 0. The registry key location is typically HKEY_USERS\<SID>\Software\Microsoft\Windows Script\Settings\AmsiEnable.
4. After successfully disabling AMSI, the attacker proceeds to execute malicious scripts or code. These scripts may use powershell.exe, wscript.exe, or cscript.exe.
5. The malicious scripts download and execute additional payloads, such as malware or remote access tools (RATs).
6. The attacker performs lateral movement within the network using the compromised system as a pivot.
7. The attacker attempts to establish persistence, ensuring continued access to the system even after reboots.
8. The attacker exfiltrates sensitive data or deploys ransomware to achieve their objectives.

Impact

Successful modification of the AmsiEnable registry key allows attackers to execute malicious scripts without triggering AMSI alerts, leading to potential malware infections, data breaches, and system compromise. Disabling AMSI significantly reduces the effectiveness of endpoint security solutions, making the system more vulnerable to attack. The impact can range from individual workstation compromise to widespread network infections, depending on the attacker’s objectives and the organization’s security posture.

Recommendation

• Deploy the Sigma rule Detect AmsiEnable Registry Modification via Registry Events to your SIEM to detect modifications to the AmsiEnable registry key.
• Enable Sysmon registry event logging to provide the necessary data for the Sigma rule to function.
• Monitor process creation events for processes modifying registry keys, especially reg.exe and PowerShell, using the rule Detect AmsiEnable Registry Modification via Process Creation.
• Investigate any alerts generated by these rules promptly to determine if the activity is malicious or legitimate.
• Implement application control policies to restrict the execution of unsigned or untrusted scripts and binaries.
• Harden systems by restricting user permissions to modify critical registry keys.