Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
A simple AMSI event trace parser
# Author: Matt Graeber
# Company: Red Canary
# To start a trace, run the following from an elevated command prompt: logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets
# To stop the trace, run the following: logman stop AMSITrace -ets
# Example usage: Get-AMSIEvent -Path .\AMSITrace.etl
function Get-AMSIEvent {
param (
[Parameter(Mandatory)]
[String]
[ValidatePattern('\.etl$')] # File path must end with .etl
$Path
)
# AMSI events correspond to event ID 1101
Get-WinEvent -Path $Path -Oldest -FilterXPath 'Event[System[Provider[@Name="Microsoft-Antimalware-Scan-Interface"]] and System[EventID=1101]]' | ForEach-Object {
$ScanResultValue = $_.Properties[2].Value
if ($ScanResultValue -eq 0) {
$ScanResult = 'AMSI_RESULT_CLEAN'
} elseif ($ScanResultValue -eq 1) {
$ScanResult = 'AMSI_RESULT_NOT_DETECTED'
} elseif ($ScanResultValue -eq 32768) {
$ScanResult = 'AMSI_RESULT_DETECTED'
} elseif (($ScanResultValue -ge 0x4000) -and ($ScanResultValue -le 0x4FFF)) {
$ScanResult = 'AMSI_RESULT_BLOCKED_BY_ADMIN'
} else {
$ScanResult = $ScanResultValue
}
$AppName = $_.Properties[3].Value
if (@('DotNet', 'VSS') -contains $AppName) {
# In this case, the AMSI buffer is a raw byte array of the full .NET assembly PE
$AMSIContentString = [BitConverter]::ToString($_.Properties[7].Value).Replace('-','')
} else {
# In this case, the AMSI buffer is raw byte array of unicode-encoded script code
$AMSIContentString = [Text.Encoding]::Unicode.GetString($_.Properties[7].Value)
}
[PSCustomObject] @{
ProcessId = $_.ProcessId
ThreadId = $_.ThreadId
TimeCreated = $_.TimeCreated
Session = $_.Properties[0].Value
ScanStatus = $_.Properties[1].Value
ScanResult = $ScanResult
AppName = $AppName
ContentName = $_.Properties[4].Value
ContentSize = $_.Properties[5].Value
OriginalSize = $_.Properties[6].Value
Content = $AMSIContentString
Hash = (($_.Properties[8].Value | % { '{0:X2}' -f $_ }) -join '')
ContentFiltered = $_.Properties[9].Value
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment