Skip to content

Instantly share code, notes, and snippets.

@mgraeber-rc
Created March 4, 2021 21:08
Show Gist options
  • Save mgraeber-rc/51651b859ee543260e0f4d3a281b8bf5 to your computer and use it in GitHub Desktop.
Save mgraeber-rc/51651b859ee543260e0f4d3a281b8bf5 to your computer and use it in GitHub Desktop.
Basic dynamic malware analysis with AMSI events

Step 1) Start an AMSI ETW trace from an elevated command prompt

logman start trace AMSITrace -p Microsoft-Antimalware-Scan-Interface (Event1) -o amsi.etl -ets

Step 2) Run your evil maldoc or script. Note: AMSI can capture runtime context of VBA, Excel4, JScript, VBScript, PowerShell, WMI, and .NET (4.8+) in-mem assembly loads

Step 3) Stop the AMSI trace

logman stop AMSITrace -ets

Step 4) If AMSI events were collected, pull out their contents. In most cases, the content will be unicode-encoded (.NET assembly loads being the exception). Here's a super dirty one-liner to dump collected AMSI trace data:

Get-WinEvent -Path .\amsi.etl -Oldest | ? { $_.Id -eq 1101 } | % { [Text.Encoding]::Unicode.GetString($_.Properties[-3].Value) }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment