search

mandiant / VM-Packages

Chocolatey packages supporting the analysis environment projects FLARE-VM & Commando VM.
Apache License 2.0
148 stars 68 forks source link

Package proposal: amsiscriptcontentretrieval.vm #175

Open seanthegeek opened 1 year ago

seanthegeek commented 1 year ago

Package Name

amsiscriptcontentretrieval

Tool Name

AMSIScriptContentRetrieval

Package type

SINGLE_PS1

Tool's version number

2018.06.17

Category

PowerShell

Tool's authors

Matt Graeber

Tool's description

Retrieves data from the Microsoft Antimalware Scan Interface (AMSI)

Download URL

https://gist.githubusercontent.com/mattifestation/e179218d88b5f100b0edecdec453d9be/raw/2329bda456b5b8e2f973cc5dc026b6fc221dad79/AMSIScriptContentRetrieval.ps1

Download SHA256 Hash

4ad1712633ef5db299dbfa8565bca899fefcdf4affab9b052768236f8e4c6272

Why is this tool a good addition?

Antimalware Scan Interface (AMSI) is a Microsoft method of observing malicious scripts, including VBA macros, XLM macros, PowerShell, JavaScript, and VBScript scripts.

Starting ASMI monitoring

In PowerShell, run

logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITRace.etl -ets

Then run the script you wish to monitor.

Stopping monitoring

In PowerShell, run

logman stop AMSITrace -ets

Viewing the results

In PowerShell, run

AMSIScriptContentRetrieval

edygert commented 1 year ago

May want to use my forked version instead. It is identical to Matt's except that the last line of code is replaced by a loop that detects and removes duplicate entries. This sometimes eliminates up to 90% of the output because of the large amount of duplicate messages. https://gist.github.com/edygert/95000ba7039992be4dabbe68d10f986c

seanthegeek commented 1 year ago

Ooo. Thanks!

seanthegeek commented 1 year ago

@MalwareMechanic I use wrapper scripts as shortcuts to start and stop logging. They are literally the commands described above with friendly filenames on the system PATH. How should I include them?

Start-ASMITrace.ps1

logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITRace.etl -ets

Stop-ASMITrace.ps1

logman stop AMSITrace -ets

Also, the modification by @edygert sounds super useful! Let's use that fork.

Ana06 commented 4 months ago

@mandiant/flare-vm any opinions here?

I tend to think that it would be better if @seanthegeek or @edygert could provide a tool wrapper for the commands you are mentioning, instead of having to maintain that code in this repository. Then we could install the tool into the Tools directory and it would make it easier for users.