Logman

Basic dynamic malware analysis with AMSI events

Step 1) Start an AMSI ETW trace from an elevated command prompt

logman start trace AMSITrace -p Microsoft-Antimalware-Scan-Interface (Event1) -o amsi.etl -ets

Step 2) Run your evil maldoc or script. Note: AMSI can capture runtime context of VBA, Excel4, JScript, VBScript, PowerShell, WMI, and .NET (4.8+) in-mem assembly loads

Step 3) Stop the AMSI trace

logman stop AMSITrace -ets

Step 4) If AMSI events were collected, pull out their contents. In most cases, the content will be unicode-encoded (.NET assembly loads being the exception). Here's a super dirty one-liner to dump collected AMSI trace data:

Get-WinEvent -Path .\amsi.etl -Oldest | ? { $_.Id -eq 1101 } | % { [Text.Encoding]::Unicode.GetString($_.Properties[-3].Value) }