AMSI Disablement via Registry Modification

Attackers are increasingly targeting the Antimalware Scan Interface (AMSI) to bypass security controls. By modifying specific registry entries, threat actors can effectively disable AMSI, preventing it from scanning and detecting malicious scripts and payloads. This technique is frequently observed in ransomware attacks, RAT deployments, and APT campaigns where stealth and evasion are critical. The targeted registry value is typically ‘AmsiEnable’ located within the ‘SOFTWARE\Microsoft\Windows Script\Settings’ path. Disabling AMSI allows attackers to execute malicious code without triggering alerts from security solutions that rely on AMSI for threat detection. This tactic significantly increases the success rate of malware infections and data breaches.

Attack Chain

1. Initial Access: Attackers gain initial access through various means, such as phishing emails, exploiting vulnerabilities, or compromised credentials.
2. Privilege Escalation: If necessary, attackers escalate privileges to gain administrative rights required to modify the registry.
3. Registry Modification: The attacker modifies the ‘AmsiEnable’ registry value to ‘0x00000000’ under the path ‘HKLM\SOFTWARE\Microsoft\Windows Script\Settings’ or ‘HKCU\SOFTWARE\Microsoft\Windows Script\Settings’.
4. AMSI Disabled: With the registry value modified, AMSI is disabled, and malicious scripts can execute without being scanned.
5. Payload Execution: The attacker executes the malicious payload, such as ransomware, a RAT, or other malware.
6. Lateral Movement: The attacker uses the compromised system as a launchpad to move laterally within the network, compromising additional systems.
7. Data Exfiltration/Encryption: Depending on the attacker’s objectives, they may exfiltrate sensitive data or encrypt files for ransom.
8. Persistence: The attacker establishes persistence mechanisms to maintain access to the compromised environment.

Impact

Successful disabling of AMSI can lead to widespread malware infections, data breaches, and significant financial losses. Ransomware attacks can cripple organizations, causing disruption to operations and demanding large ransom payments. Data exfiltration can result in the loss of sensitive information, leading to reputational damage and legal liabilities. Disabling AMSI significantly increases the likelihood of successful attacks and reduces the effectiveness of security solutions.

Recommendation

• Deploy the Sigma rule “Detect AMSI Disablement via Registry Modification” to detect attempts to disable AMSI by monitoring changes to the ‘AmsiEnable’ registry value.
• Enable Sysmon Event ID 13 (Registry value set) to collect the necessary data for the detection rule.
• Investigate any alerts generated by the Sigma rule to determine if the activity is malicious.
• Implement strong access control policies to limit who can modify registry settings on endpoints.
• Regularly review and update security policies to address emerging threats and techniques.