# Countering AMSI Detection This page explains how to troubleshoot AMSI detections on Office documents. This is the typical error message indicating AMSI killed our maldoc: ![amsi.png](amsi.png) The script provided in this directory, [again](https://github.com/mgeeky/Penetration-Testing-Tools/tree/master/red-teaming/Self-Signed%20Threat), uses splendid work of [Matt Graeber, @mattifestation](https://twitter.com/mattifestation), namely his [AMSITools.ps1](https://gist.github.com/mgraeber-rc/1eb42d3ec9c2f677e70bb14c3b7b5c9c) script, that pulls AMSI events from Windows' event-log. ## Pulling AMSI Events We can pull AMSI events to review more closely what happened thanks to Matt's [AMSITools.ps1]](https://gist.github.com/mgraeber-rc/1eb42d3ec9c2f677e70bb14c3b7b5c9c). Follow these steps: 1. Disable your Anti-Virus. In Defender, that includes turning off Real-Time Detection option. 2. Open up Powershell as Administrator and browse to this script's directory. 3. Load up `Get-AMSIScanResult.ps1` script: ``` PS D:\AMSITools> . .\Get-AMSIScanResult.ps1 ``` 4. And then - to inspect Office document - simply launch the following: ``` PS D:\AMSITools> Get-AMSIScanResult -Interactive ``` 5. You will be prompted with following message: ``` Trigger AMSI detections now and then press any key to pull AMSI events... ``` 6. Now re-enable your Anti-Virus, to make sure AMSI provider will be active and Maldoc will get remediated. 7. Open up your faulty Maldoc document to ensure AMSI triggers and event gets generated 8. After seeing AMSI error dialog, close up Office application and get back to Powershell console. 9. Now hit **Enter** in the console and review output or follow instructions. ## Example Event Example event look like following: ``` ProcessId : 30828 ThreadId : 14248 TimeCreated : 02/09/2022 16:54:54 Session : 0 ScanStatus : 1 ScanResult : AMSI_RESULT_DETECTED AppName : OFFICE_VBA ContentName : D:\rmf\output-files\evil2.xlsm ContentSize : 680 OriginalSize : 680 Content : IXMLDOMDocument2.createelement("obf_someInternalName"); IXMLDOMElement.nodetypedvalue(); IXMLDOMDocument2.createelement("obf_someInternalName"); IXMLDOMElement.nodetypedvalue(); IXMLDOMDocument2.createelement("obf_someInternalName"); IXMLDOMElement.nodetypedvalue(); IWshShell3.run("false", "0", "%WINDIR%\System32\conhost.exe "calc" """); Hash : 6C58AE0705D2CE87ED36E78E6C366118AA407776D898864F92FF5ADC50294268 ContentFiltered : False ``` The very last line of `Content` entry tells us, which was the last VBA line of code that generated AMSI event. ## Credits **All credits go to [Matt](https://twitter.com/mattifestation)** - this directory contains **HIS** script _AMSITools.ps1_, mirrored for preserverance purposes.