AMSI Enable Registry Key Modification for Defense Evasion

hello@craftedsignal.io — Sat, 27 Jan 2024 18:23:00 +0000

Attackers can disable the Antimalware Scan Interface (AMSI) to evade detection by modifying the AmsiEnable registry key. This technique is commonly employed to execute malicious scripts without triggering security warnings or blocks. The AMSI, a Windows feature, allows applications and services to request the scanning of potentially malicious content (e.g., PowerShell scripts, JScript) before execution. By setting the AmsiEnable value to 0, an attacker can disable AMSI for the current user, effectively bypassing real-time script scanning. This action is often a precursor to deploying further malicious payloads or establishing persistence on a compromised system. This behavior has been observed since at least 2019 and continues to be a relevant defense evasion technique.

Attack Chain

An attacker gains initial access to the target system, possibly through phishing or exploiting a vulnerability.
The attacker executes a script or binary that attempts to modify the AmsiEnable registry key.
The script or binary uses reg.exe, PowerShell, or another tool to set the AmsiEnable registry value to 0. The registry key location is typically HKEY_USERS\\Software\Microsoft\Windows Script\Settings\AmsiEnable.
After successfully disabling AMSI, the attacker proceeds to execute malicious scripts or code. These scripts may use powershell.exe, wscript.exe, or cscript.exe.
The malicious scripts download and execute additional payloads, such as malware or remote access tools (RATs).
The attacker performs lateral movement within the network using the compromised system as a pivot.
The attacker attempts to establish persistence, ensuring continued access to the system even after reboots.
The attacker exfiltrates sensitive data or deploys ransomware to achieve their objectives.

Impact

Successful modification of the AmsiEnable registry key allows attackers to execute malicious scripts without triggering AMSI alerts, leading to potential malware infections, data breaches, and system compromise. Disabling AMSI significantly reduces the effectiveness of endpoint security solutions, making the system more vulnerable to attack. The impact can range from individual workstation compromise to widespread network infections, depending on the attacker’s objectives and the organization’s security posture.

Recommendation

Deploy the Sigma rule Detect AmsiEnable Registry Modification via Registry Events to your SIEM to detect modifications to the AmsiEnable registry key.
Enable Sysmon registry event logging to provide the necessary data for the Sigma rule to function.
Monitor process creation events for processes modifying registry keys, especially reg.exe and PowerShell, using the rule Detect AmsiEnable Registry Modification via Process Creation.
Investigate any alerts generated by these rules promptly to determine if the activity is malicious or legitimate.
Implement application control policies to restrict the execution of unsigned or untrusted scripts and binaries.
Harden systems by restricting user permissions to modify critical registry keys.

Potential Antimalware Scan Interface Bypass via PowerShell

hello@craftedsignal.io — Tue, 09 Jan 2024 16:23:00 +0000

This detection identifies PowerShell scripts that attempt to circumvent the Antimalware Scan Interface (AMSI), a security feature in Windows designed to prevent the execution of malicious scripts and code. Attackers use AMSI bypass techniques to disable real-time scanning and execute malicious PowerShell code without detection. The bypasses often involve manipulating AMSI’s internal state or patching its scanning routines. This allows attackers to deliver and execute payloads undetected, leading to potential system compromise. This technique is actively used by various threat actors to evade defenses.

Attack Chain

An attacker gains initial access to the system, typically through phishing or exploiting a vulnerability.
The attacker executes a PowerShell script.
The PowerShell script contains code designed to bypass AMSI, such as manipulating the AmsiScanBuffer function or unmanaged code injection.
The AMSI bypass is executed, disabling real-time scanning of PowerShell scripts.
The attacker then executes a malicious payload within the same PowerShell session, which is no longer subject to AMSI scanning.
The malicious payload performs actions such as downloading additional malware, establishing persistence, or exfiltrating data.
The attacker leverages the compromised system for further lateral movement or to achieve their objectives, such as data theft or ransomware deployment.

Impact

Successful AMSI bypass can lead to the execution of arbitrary code on the affected system, potentially resulting in data breaches, system compromise, and the installation of malware. Because AMSI is a core component of Windows security, its bypass represents a significant security risk.

Recommendation

Enable PowerShell Script Block Logging to capture the contents of PowerShell scripts, which is essential for this detection to function effectively (reference: Setup section).
Deploy the Sigma rule “Potential Antimalware Scan Interface Bypass via PowerShell” to detect scripts containing known AMSI bypass techniques (reference: rules section below).
Investigate alerts generated by the Sigma rule, focusing on the script content and the context in which it was executed to identify potential malicious activity (reference: note section).

Amsi — CraftedSignal Threat Feed

AMSI Enable Registry Key Modification for Defense Evasion

Attack Chain

Impact

Recommendation

Potential Antimalware Scan Interface Bypass via PowerShell

Attack Chain

Impact

Recommendation