← Back to SOC feed Coverage →

Removal Of AMSI Provider Registry Keys

sigma HIGH SigmaHQ
T1685
imRegistry
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-24T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.

Detection Rule

Sigma (Original)

title: Removal Of AMSI Provider Registry Keys
id: 41d1058a-aea7-4952-9293-29eaaf516465
status: test
description: Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
    - https://seclists.org/fulldisclosure/2020/Mar/45
author: frack113
date: 2021-06-07
modified: 2025-10-07
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    category: registry_delete
detection:
    selection:
        TargetObject|endswith:
            - '{2781761E-28E0-4109-99FE-B9D127C57AFE}' # IOfficeAntiVirus
            - '{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' # ProtectionManagement.dll
    filter_main_defender:
        Image|startswith:
            - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
            - 'C:\Program Files\Windows Defender\'
            - 'C:\Program Files (x86)\Windows Defender\'
        Image|endswith: '\MsMpEng.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key/info.yml
simulation:
    - type: atomic-red-team
      name: AMSI Bypass - Remove AMSI Provider Reg Key
      technique: T1562.001
      atomic_guid: 13f09b91-c953-438e-845b-b585e51cac9b

KQL (Azure Sentinel)

imRegistry
| where (RegistryKey endswith "{2781761E-28E0-4109-99FE-B9D127C57AFE}" or RegistryKey endswith "{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}") and (not(((ActingProcessName startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" or ActingProcessName startswith "C:\\Program Files\\Windows Defender\\" or ActingProcessName startswith "C:\\Program Files (x86)\\Windows Defender\\") and ActingProcessName endswith "\\MsMpEng.exe")))

Required Data Sources

Sentinel TableNotes
imRegistryEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml