AmsiEnable Registry Key tampered

About the rule

Rule Type

Standard

Rule Description

Detects attempts to disable the Antimalware Scan Interface (AMSI) by modifying the 'AmsiEnable' registry key. AMSI is a versatile standard interface that allows applications and services to integrate with any antimalware product present on a computer. Disabling it allows malicious scripts (PowerShell, VBScript, etc.) to run without being inspected by the antivirus engine.

Why this rule?

Tampering with the AMSI registry key disables Windows' script and malware scanning capabilities, allowing malicious code to execute undetected. This anti-malware evasion technique is commonly used before deploying payloads or running offensive tools. Identifying this modification provides an early warning of imminent malicious activity.

Severity

Critical

Rule journey

Attack chain scenario

Initial Access → Execution → Defense Evasion → Registry Modification (AmsiEnable set to 0) → Execution of obfuscated malicious scripts → Bypass of local AV/EDR.

Impact

Adversaries can execute malicious code in memory that would otherwise be blocked by security software. This leads to a higher risk of successful malware infection and persistence.

Rule Requirement

Prerequisites

Enable Registry auditing for the path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Settings.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Persistence: Modify Registry (T1112), Defense evasion: Modify Registry (T1112)

Future actions

Known False Positives

Rare. Usually only seen in specialized development environments where legacy scripts are incompatible with AMSI or during security testing.

Next Steps

1. Identification: Identify the process and user that modified the registry key.
2. Analysis: Check for the execution of PowerShell or other scripting engines immediately following the change.
3. Response: Revert the registry value to '1' and isolate the host to scan for malicious script artifacts.

Mitigation