Tag

Amsi

3 briefs RSS

AMSI Enable Registry Key Modification for Defense Evasion

Adversaries modify the AmsiEnable registry key to 0 to disable Windows Script AMSI scanning, bypassing AMSI protections for Windows Script Host or JScript execution.

Microsoft Defender XDR +4 defense-evasion amsi registry windows

2r 1t Jan 27, 2024

high advisory

Potential Antimalware Scan Interface Bypass via PowerShell

3 rules 1 TTP

This rule detects PowerShell scripts that attempt to bypass the Antimalware Scan Interface (AMSI) in order to disable scanning and execute malicious PowerShell code undetected.

defense-evasion amsi powershell windows

3r 1t Jan 9, 2024

high advisory

AMSI Disablement via Registry Modification

2 rules

Attackers disable the Antimalware Scan Interface (AMSI) by modifying the Windows registry value 'AmsiEnable' to '0x00000000' to evade detection, commonly employed by ransomware, RATs, and APTs.

Windows +3 amsi defense-evasion registry-modification ransomware

2r Jan 3, 2024