Potential AMSI COM Server Hijacking

Rule Info

Name
Potential AMSI COM Server Hijacking
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless
Reference
https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/
Date
2023-01-04 00:00:00
Modified
2023-08-17 00:00:00
Id
160d2780-31f7-4922-8b3a-efce30e63e96
Tags
attack.defense-evasion attack.t1562.001
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=160d2780-31f7-4922-8b3a-efce30e63e96

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
github-actions[bot]
Merge PR #4891 from @nasbench - Promote older rules status from `experimental` to `test`
2024-07-01
47085e948
frack113
Refractor registry_set rules
2023-08-17
bb2aea7c4
Nasreddine Bencherchali
chore: add nextron authors tag
2023-02-01
7c38a5c49
Nasreddine Bencherchali
feat: updates and enhancements
2023-01-04
711ba956e
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022