forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdefense_evasion_amsienable_key_mod.toml
53 lines (45 loc) · 1.63 KB
/
defense_evasion_amsienable_key_mod.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
[metadata]
creation_date = "2021/06/01"
maturity = "production"
updated_date = "2021/06/01"
[rule]
author = ["Elastic"]
description = """
JScript tries to query the AmsiEnable registry key from the HKEY_USERS registry hive before initializing Antimalware
Scan Interface (AMSI). If this key is set to 0, AMSI is not enabled for the JScript process. An adversary can modify
this key to disable AMSI protections.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Modification of AmsiEnable Registry Key"
references = [
"https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf",
"https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal",
]
risk_score = 73
rule_id = "f874315d-5188-4b4a-8521-d1c73093a7e4"
severity = "high"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
registry where event.type in ("creation", "change") and
registry.path: "HKEY_USERS\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable" and
registry.data.strings: "0"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
reference = "https://attack.mitre.org/techniques/T1562/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"