AMSI

What is AMSI?

Essentially, AMSI (Antimalware Scan Interface) is an interface on which applications or services (third-party included) are able to scan a script’s content for malicious usage. If a signature in the script is registered by the AMSI antimalware service provider (Windows Defender by default), it will be blocked.

To put this into context, consider the following steps PowerShell takes to integrate with AMSI:

When a PowerShell process is created, AMSI.DLL is loaded from disk into its address space.
Within AMSI.DLL, there’s a function known as AmsiScanBuffer(), essentially the function used to scan a script’s content.
In the PowerShell command prompt, any supplied content would first be sent to AmsiScanBuffer(), before any execution takes place.
Subsequently, AmsiScanBuffer() would check with the registered anti-virus to determine if any signatures have been created.
If the content is deemed malicious, it would be blocked.

Deobfuscating Malicious Code:

Microsoft has added the log dumping and ScriptBlock logging functions to PowerShell V5.0 and later and logs all events to EID 4104. The ScriptBlock logging gives the capability of recording de-obfuscated PowerShell code.

As script code needs to be de-obfuscated prior to execution, the ScriptBlock logging function records the actual code before it is passed to the PowerShell engine for execution. Therefore, many centralized log systems hardly report an alert when capturing suspicious logs. Such alerts are valuable for sample analysis and emergency forensics.