Suspicious Antimalware Scan Interface DLL

edit

Suspicious Antimalware Scan Interface DLL

edit

Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*
  • endgame-*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Defense Evasion
  • Elastic Endgame

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
file where event.action != "deletion" and file.path != null and
 file.name : ("amsi.dll", "amsi") and not file.path : ("?:\\Windows\\system32\\amsi.dll", "?:\\Windows\\Syswow64\\amsi.dll")

Framework: MITRE ATT&CKTM