Git/mgeeky-Penetration-Testing-Tools
1
0
Fork 0
mirror of https://github.com/mgeeky/Penetration-Testing-Tools.git synced 2025-11-04 13:05:26 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
76dd286035eda409e7b6324fd2ee007112594143
mgeeky-Penetration-Testing-…/red-teaming/AMSITools
History
Mariusz B. / mgeeky d76cd83284 Added AMSITools
2022-09-22 19:11:04 +02:00
..
amsi.png
Added AMSITools
2022-09-22 19:08:29 +02:00
AMSITools.ps1
Added AMSITools
2022-09-22 19:08:29 +02:00
Get-AMSIScanResult.ps1
Added AMSITools
2022-09-22 19:08:29 +02:00
README.md
Added AMSITools
2022-09-22 19:11:04 +02:00

README.md

Countering AMSI Detection

This page explains how to troubleshoot AMSI detections on Office documents. This is the typical error message indicating AMSI killed our maldoc:

amsi.png

The script provided in this directory, again, uses splendid work of Matt Graeber, @mattifestation, namely his AMSITools.ps1 script, that pulls AMSI events from Windows' event-log.

Pulling AMSI Events

We can pull AMSI events to review more closely what happened thanks to Matt's AMSITools.ps1.

Follow these steps:

  1. Disable your Anti-Virus. In Defender, that includes turning off Real-Time Detection option.

  2. Open up Powershell as Administrator and browse to this script's directory.

  3. Load up Get-AMSIScanResult.ps1 script:

PS D:\AMSITools> . .\Get-AMSIScanResult.ps1
  1. And then - to inspect Office document - simply launch the following:
PS D:\AMSITools> Get-AMSIScanResult -Interactive
  1. You will be prompted with following message:
Trigger AMSI detections now and then press any key to pull AMSI events...

  1. Now re-enable your Anti-Virus, to make sure AMSI provider will be active and Maldoc will get remediated.

  2. Open up your faulty Maldoc document to ensure AMSI triggers and event gets generated

  3. After seeing AMSI error dialog, close up Office application and get back to Powershell console.

  4. Now hit Enter in the console and review output or follow instructions.

Example Event

Example event look like following:

ProcessId       : 30828
ThreadId        : 14248
TimeCreated     : 02/09/2022 16:54:54
Session         : 0
ScanStatus      : 1
ScanResult      : AMSI_RESULT_DETECTED
AppName         : OFFICE_VBA
ContentName     : D:\rmf\output-files\evil2.xlsm
ContentSize     : 680
OriginalSize    : 680
Content         : IXMLDOMDocument2.createelement("obf_someInternalName");
                  IXMLDOMElement.nodetypedvalue();
                  IXMLDOMDocument2.createelement("obf_someInternalName");
                  IXMLDOMElement.nodetypedvalue();
                  IXMLDOMDocument2.createelement("obf_someInternalName");
                  IXMLDOMElement.nodetypedvalue();
                  IWshShell3.run("false", "0", "%WINDIR%\System32\conhost.exe "calc" """);

Hash            : 6C58AE0705D2CE87ED36E78E6C366118AA407776D898864F92FF5ADC50294268
ContentFiltered : False

The very last line of Content entry tells us, which was the last VBA line of code that generated AMSI event.

Credits

All credits go to Matt - this directory contains HIS script AMSITools.ps1, mirrored for preserverance purposes.