Windows.ETW.AMSI

This artifact uses the ETW provider: (Microsoft-Antimalware-Scan-Interface - {2A576B87-09A7-520E-C21A-4942F0271D67}


name: Windows.ETW.AMSI
description: |
    This artifact uses the ETW provider:
        (Microsoft-Antimalware-Scan-Interface - {2A576B87-09A7-520E-C21A-4942F0271D67}

type: CLIENT_EVENT

parameters:
  - name: IocRegex
    description: "Regex of strings to filter for"
    default: .
  - name: WhitelistRegex
    description: "Regex of strings to witelist"
  - name: AppNameRegex
    description: "Application name Regex to enable filtering on source."
    default: .
  - name: ExcludeAmsiHashList
    description: "Line seperated list of AMSI hashes to exclude"
    default: |
        0xB95D39DB18570A2A6DB329A3FF0BB87B17720279A0AC6862C7D5BA66C8270BB1
        0x9281522E94E9F3D4FBF4F679335D8A891B1FAE9933DCD993A0E2AE7CD8789953

sources:
  - query: |
      -- split out Hash exclusions into array
      LET HashExclusions <= SELECT _value as AmsiHash
        FROM foreach(row=split(sep='\\s+',string=ExcludeAmsiHashList))
        WHERE AmsiHash
        
      -- watch ETW provider and first round data manipulation
      LET hits = SELECT
         timestamp(epoch=timestamp(string=System.TimeStamp).unix) as EventTime,
         System,
         get(member="EventData") AS EventData
      FROM watch_etw(guid="{2A576B87-09A7-520E-C21A-4942F0271D67}")
      WHERE EventData.appname =~ AppNameRegex
        AND NOT EventData.hash in HashExclusions.AmsiHash

      -- print rows
      SELECT
        EventTime,
        EventData.appname as AppName,
        EventData.contentname as ContentName,
        utf16(string=
            unhex(string=regex_replace(
                source=EventData.Content,re='^0x',replace=''))
        ) as Content,
        process_tracker_callchain(id=System.ProcessID).Data[-1] as ProcessInfo,
        process_tracker_callchain(id=System.ProcessID).Data as ProcessChain,
        EventData.hash as AmsiHash
      FROM hits
      WHERE
        Content =~ IocRegex
        AND if(condition= WhitelistRegex,
            then= NOT Content =~ WhitelistRegex,
            else= True)