Created
October 8, 2021 20:53
-
-
Save mgraeber-rc/34ec1904594c32f587cb58497d981049 to your computer and use it in GitHub Desktop.
A simple AMSI event trace parser
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Author: Matt Graeber | |
| # Company: Red Canary | |
| # To start a trace, run the following from an elevated command prompt: logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets | |
| # To stop the trace, run the following: logman stop AMSITrace -ets | |
| # Example usage: Get-AMSIEvent -Path .\AMSITrace.etl | |
| function Get-AMSIEvent { | |
| param ( | |
| [Parameter(Mandatory)] | |
| [String] | |
| [ValidatePattern('\.etl$')] # File path must end with .etl | |
| $Path | |
| ) | |
| # AMSI events correspond to event ID 1101 | |
| Get-WinEvent -Path $Path -Oldest -FilterXPath 'Event[System[Provider[@Name="Microsoft-Antimalware-Scan-Interface"]] and System[EventID=1101]]' | ForEach-Object { | |
| $ScanResultValue = $_.Properties[2].Value | |
| if ($ScanResultValue -eq 0) { | |
| $ScanResult = 'AMSI_RESULT_CLEAN' | |
| } elseif ($ScanResultValue -eq 1) { | |
| $ScanResult = 'AMSI_RESULT_NOT_DETECTED' | |
| } elseif ($ScanResultValue -eq 32768) { | |
| $ScanResult = 'AMSI_RESULT_DETECTED' | |
| } elseif (($ScanResultValue -ge 0x4000) -and ($ScanResultValue -le 0x4FFF)) { | |
| $ScanResult = 'AMSI_RESULT_BLOCKED_BY_ADMIN' | |
| } else { | |
| $ScanResult = $ScanResultValue | |
| } | |
| $AppName = $_.Properties[3].Value | |
| if (@('DotNet', 'VSS') -contains $AppName) { | |
| # In this case, the AMSI buffer is a raw byte array of the full .NET assembly PE | |
| $AMSIContentString = [BitConverter]::ToString($_.Properties[7].Value).Replace('-','') | |
| } else { | |
| # In this case, the AMSI buffer is raw byte array of unicode-encoded script code | |
| $AMSIContentString = [Text.Encoding]::Unicode.GetString($_.Properties[7].Value) | |
| } | |
| [PSCustomObject] @{ | |
| ProcessId = $_.ProcessId | |
| ThreadId = $_.ThreadId | |
| TimeCreated = $_.TimeCreated | |
| Session = $_.Properties[0].Value | |
| ScanStatus = $_.Properties[1].Value | |
| ScanResult = $ScanResult | |
| AppName = $AppName | |
| ContentName = $_.Properties[4].Value | |
| ContentSize = $_.Properties[5].Value | |
| OriginalSize = $_.Properties[6].Value | |
| Content = $AMSIContentString | |
| Hash = (($_.Properties[8].Value | % { '{0:X2}' -f $_ }) -join '') | |
| ContentFiltered = $_.Properties[9].Value | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment