Skip to content

Instantly share code, notes, and snippets.

@mattifestation

mattifestation/StreamNotes_04212020.md

Created April 21, 2020 23:25
Show Gist options
  • Star 6 You must be signed in to star a gist
  • Fork 4 You must be signed in to fork a gist
  • Save mattifestation/c44087da8507930cd063ca5384baa7ba to your computer and use it in GitHub Desktop.
Save mattifestation/c44087da8507930cd063ca5384baa7ba to your computer and use it in GitHub Desktop.
Download ZIP
Twitch Stream Notes 04/21/2020 - Obfuscated Script-based Malware Analysis with the Anti-Malware Scan Interface (AMSI)
Raw
StreamNotes_04212020.md

Malware Sample Inspected

Trickbot COVID macro lure via MSFT: ec34b207d503a3c95ee743ee296a08e93a5e960aa4611ea8c39d8e5d4c5f6593

test.js

eval("WScript.CreateObject(\"WScript.Shell\").Run(\"calc.exe\");");

Tools Used

Perfview - Used to dump the instrumentation manifest for the AMSI ETW provider using the following command:

PerfView.exe /nogui userCommand DumpRegisteredManifest Microsoft-Antimalware-Scan-Interface

WEPExplore - Visual UI for inspecting ETW provider manifests

Commands Issued

Validate that AMSI is configured to collect on all VBA macros:

Get-ItemPropertyValue -Path HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\ -Name MacroRuntimeScanScope

A value of 2 indicates that AMSI scanning is enabled for all docs. Reference

Start an AMSI ETW trace:

logman --% start AMSITrace -p Microsoft-Antimalware-Scan-Interface (Event1) 0x4 -o AMSITrace.etl -ets

Stop an AMSI ETW trace:

logman stop AMSITrace -ets

Note: --% is used to tell PowerShell to stop interpreting the command line for inline PS code

PS function to cleanup the output of Get-WinEvent for interpreting AMSI trace data:

function Get-AMSITraceEvent {
    param (
        [Parameter(Mandatory)]
        [String]
        $FilePath
    )

    Get-WinEvent -Path $FilePath -Oldest -FilterXPath '*[System[EventID = 1101]]' | ForEach-Object {

        switch ($_.Properties[2].Value) {
            0 { $ScanResult = 'AMSI_RESULT_CLEAN' }
            1 { $ScanResult = 'AMSI_RESULT_NOT_DETECTED' }
            32768 { $ScanResult = 'AMSI_RESULT_DETECTED' }
            default { $ScanResult = $_.Properties[2].Value }
        }

        $ObjectProperties = [Ordered] @{
            TimeCreated = $_.TimeCreated
            ProcessId = $_.ProcessId
            ThreadId = $_.ThreadId
            Session = $_.Properties[0].Value
            ScanStatus = $_.Properties[1].Value
            ScanResult = $ScanResult
            AppName = $_.Properties[3].Value
            ContentName = $_.Properties[4].Value
            ContentSize = $_.Properties[5].Value
            OriginalSize = $_.Properties[6].Value
            Content = ([Text.Encoding]::Unicode.GetString($_.Properties[7].Value))
            Hash = (($_.Properties[8].Value | % { '{0:X2}' -f $_ }) -join '')
            ContentFiltered = $_.Properties[9].Value
        }

        New-Object -TypeName psobject -Property $ObjectProperties
    }
}

Additional References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment