Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing AMSI (fileless script) logging #91

Open
Gandalf098 opened this issue Dec 1, 2024 · 1 comment
Open

Missing AMSI (fileless script) logging #91

Gandalf098 opened this issue Dec 1, 2024 · 1 comment

Comments

@Gandalf098
Copy link

Some EDR vendors (namely Crowdstrike & Carbonblack), log ALL execution that passes through AMSI, this is especially useful for non-powershell scripts (such as VBA scripts or JScripts, there is a whole C2 Framework written around JScript (Kodiac), and these are definitely useful for detection of other techniques such as persistence, application locker (application whitelisting) bypass and others.

this is implemented through registering EDR AMSI DLL, and configuring it to generate a log each time it is called

it is also probably worth mentioning that while that is "bypassable", (if attacker bypasses AMSI altogether), however it provides detection opportunities and post-mortem RCA (root cause analysis) if it actually was bypassed.
@tsale
Copy link
Owner

tsale commented Dec 28, 2024

Are you proposing a new category? If so, can you provide some examples from the EDRs you mentioned?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Gandalf098 @tsale