Amsi.DLL Load By Uncommon Process

Rule Info

Tags
attack.defense_evasion attack.t1490 attack.impact DEMO
Modified
None
Author
frack113
Name
Amsi.DLL Load By Uncommon Process
Description
Detects loading of Amsi.dll by uncommon processes
Date
2023-03-12 00:00:00
Reference
https://infosecwriteups.com/amsi-bypass-new-way-2023-d506345944e9
Id
facd1549-e416-48e0-b8c4-41d7215eedc8
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=facd1549-e416-48e0-b8c4-41d7215eedc8

Rule History

Commit
Date
Author
Title
61a6ca59b
2023-03-12
frack113
feat: new rule `amsi.dll load by uncommon process` (#4102)
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022