secnnet / AMSI-Scripts

amsi etw incident-response malware-detection powershell-scripts security-tools threat-analysis antivirus-integration content-scanning powershell-security

AMSI Scripts

PowerShell scripts for AMSI operations.

Prerequisites:

Windows OS
PowerShell (v5.1+)
Admin privileges (for some tasks)

Usage:

Clone/download repo.
Open PowerShell in script directory.
Run desired script:
- .\Send-AmsiContent.ps1: Scan content via AMSI.
- .\Get-AMSIEvent.ps1 -Path <trace_path>: Parse AMSI ETW trace.
- .\Get-AMSIScanResult.ps1 -Interactive: Interactive mode.
- .\Get-AMSIScanResult.ps1 -File <input_file_path> -StandardAppName <app_name>: File mode.

Notes:

Run with elevated permissions if needed.
Understand implications before content scanning.
Scripts are as-is; use at your own risk.

Credits:

Scripts modified from Matt Graeber's work at Red Canary. See Microsoft for AMSI details.

License:

MIT

About

amsi etw incident-response malware-detection powershell-scripts security-tools threat-analysis antivirus-integration content-scanning powershell-security

MIT License

Languages

Language:PowerShell 100.0%