SOLVED

Creation of AMSI deactivation rule in Azure Sentinel

Regular Visitor

Hello guys,

 

I am investigating about the detection of a rule in Azure sentinel, I want to monitor if AMSI has been disabled on a Windows 10 device.

 

I have run the disable command, but it does not show me anything in the security events. This is command:

"[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)"
 

I have several questions:

 

In which section of the events should I look?
Do they appear in the security events?
Can the AMSI event be monitored with the event Id 4688?
How can I see the AMSI status?

 

Regards.

 

1 Reply
best response confirmed by Cristian_Librero (Regular Visitor)
Solution
Hey Cristian,

What kind of logging / agents do you have deployed to your Windows 10 fleet to send your data to Sentinel? That will answer the question of to start hunting for your events.

The SecurityEvent table is a subset of what will appear in the Security Event log on the device itself, when you run that command on a device does it appear in the local Security Event log? If not, then it won't appear in Azure Sentinel. If it appears on the local Security Event log but not in Azure Sentinel then you will need to make sure you have configured the agent correctly to send the proper data up. There are some guides here - https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events?tabs=LAA or https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events?tabs=AMA

If you have Defender for Endpoint then make sure you are sending the logs from Defender to Sentinel - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/threat-protection-integrat..., then you will be looking in the Device* tables, such as DeviceProcessEvents