Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Package proposal: amsiscriptcontentretrieval.vm #175

Open
seanthegeek opened this issue Dec 8, 2022 · 4 comments
Open

Package proposal: amsiscriptcontentretrieval.vm #175

seanthegeek opened this issue Dec 8, 2022 · 4 comments
Labels
😕 needs info Further information is needed 🌀 FLARE-VM A package or feature to be used by FLARE-VM ❔ discussion Further discussion is needed 🆕 package New package request/idea/PR

Comments

@seanthegeek
Copy link

Package Name

amsiscriptcontentretrieval

Tool Name

AMSIScriptContentRetrieval

Package type

SINGLE_PS1

Tool's version number

2018.06.17

Category

PowerShell

Tool's authors

Matt Graeber

Tool's description

Retrieves data from the Microsoft Antimalware Scan Interface (AMSI)

Download URL

https://gist.githubusercontent.com/mattifestation/e179218d88b5f100b0edecdec453d9be/raw/2329bda456b5b8e2f973cc5dc026b6fc221dad79/AMSIScriptContentRetrieval.ps1

Download SHA256 Hash

4ad1712633ef5db299dbfa8565bca899fefcdf4affab9b052768236f8e4c6272

Why is this tool a good addition?

Antimalware Scan Interface (AMSI) is a Microsoft method of observing malicious scripts, including VBA macros, XLM macros, PowerShell, JavaScript, and VBScript scripts.

Starting ASMI monitoring

In PowerShell, run

logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITRace.etl -ets

Then run the script you wish to monitor.

Stopping monitoring

In PowerShell, run

logman stop AMSITrace -ets

Viewing the results

In PowerShell, run

AMSIScriptContentRetrieval
@seanthegeek seanthegeek added the 🆕 package New package request/idea/PR label Dec 8, 2022
@edygert
Copy link

edygert commented Dec 12, 2022

May want to use my forked version instead. It is identical to Matt's except that the last line of code is replaced by a loop that detects and removes duplicate entries. This sometimes eliminates up to 90% of the output because of the large amount of duplicate messages. https://gist.github.com/edygert/95000ba7039992be4dabbe68d10f986c

@seanthegeek
Copy link
Author

Ooo. Thanks!

@seanthegeek
Copy link
Author

@MalwareMechanic I use wrapper scripts as shortcuts to start and stop logging. They are literally the commands described above with friendly filenames on the system PATH. How should I include them?

Start-ASMITrace.ps1

logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITRace.etl -ets

Stop-ASMITrace.ps1

logman stop AMSITrace -ets

Also, the modification by @edygert sounds super useful! Let's use that fork.

@Ana06 Ana06 added the 🌀 FLARE-VM A package or feature to be used by FLARE-VM label Oct 6, 2023
@Ana06
Copy link
Member

Ana06 commented Jul 17, 2024

@mandiant/flare-vm any opinions here?

I tend to think that it would be better if @seanthegeek or @edygert could provide a tool wrapper for the commands you are mentioning, instead of having to maintain that code in this repository. Then we could install the tool into the Tools directory and it would make it easier for users.

@Ana06 Ana06 added ❔ discussion Further discussion is needed 😕 needs info Further information is needed labels Jul 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
😕 needs info Further information is needed 🌀 FLARE-VM A package or feature to be used by FLARE-VM ❔ discussion Further discussion is needed 🆕 package New package request/idea/PR
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@seanthegeek @edygert @Ana06