This artifact uses the ETW provider: (Microsoft-Antimalware-Scan-Interface - {2A576B87-09A7-520E-C21A-4942F0271D67}
name: Windows.ETW.AMSI
description: |
This artifact uses the ETW provider:
(Microsoft-Antimalware-Scan-Interface - {2A576B87-09A7-520E-C21A-4942F0271D67}
type: CLIENT_EVENT
parameters:
- name: IocRegex
description: "Regex of strings to filter for"
default: .
- name: WhitelistRegex
description: "Regex of strings to witelist"
- name: AppNameRegex
description: "Application name Regex to enable filtering on source."
default: .
- name: ExcludeAmsiHashList
description: "Line seperated list of AMSI hashes to exclude"
default: |
0xB95D39DB18570A2A6DB329A3FF0BB87B17720279A0AC6862C7D5BA66C8270BB1
0x9281522E94E9F3D4FBF4F679335D8A891B1FAE9933DCD993A0E2AE7CD8789953
sources:
- query: |
-- split out Hash exclusions into array
LET HashExclusions <= SELECT _value as AmsiHash
FROM foreach(row=split(sep='\\s+',string=ExcludeAmsiHashList))
WHERE AmsiHash
-- watch ETW provider and first round data manipulation
LET hits = SELECT
timestamp(epoch=timestamp(string=System.TimeStamp).unix) as EventTime,
System,
get(member="EventData") AS EventData
FROM watch_etw(guid="{2A576B87-09A7-520E-C21A-4942F0271D67}")
WHERE EventData.appname =~ AppNameRegex
AND NOT EventData.hash in HashExclusions.AmsiHash
-- print rows
SELECT
EventTime,
EventData.appname as AppName,
EventData.contentname as ContentName,
utf16(string=
unhex(string=regex_replace(
source=EventData.Content,re='^0x',replace=''))
) as Content,
process_tracker_callchain(id=System.ProcessID).Data[-1] as ProcessInfo,
process_tracker_callchain(id=System.ProcessID).Data as ProcessChain,
EventData.hash as AmsiHash
FROM hits
WHERE
Content =~ IocRegex
AND if(condition= WhitelistRegex,
then= NOT Content =~ WhitelistRegex,
else= True)