Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Basic dynamic malware analysis with AMSI events

Step 1) Start an AMSI ETW trace from an elevated command prompt

logman start trace AMSITrace -p Microsoft-Antimalware-Scan-Interface (Event1) -o amsi.etl -ets

Step 2) Run your evil maldoc or script. Note: AMSI can capture runtime context of VBA, Excel4, JScript, VBScript, PowerShell, WMI, and .NET (4.8+) in-mem assembly loads

Step 3) Stop the AMSI trace

logman stop AMSITrace -ets

Step 4) If AMSI events were collected, pull out their contents. In most cases, the content will be unicode-encoded (.NET assembly loads being the exception). Here's a super dirty one-liner to dump collected AMSI trace data:

Get-WinEvent -Path .\amsi.etl -Oldest | ? { $_.Id -eq 1101 } | % { [Text.Encoding]::Unicode.GetString($_.Properties[-3].Value) }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment