Trickbot COVID macro lure via MSFT: ec34b207d503a3c95ee743ee296a08e93a5e960aa4611ea8c39d8e5d4c5f6593
test.js
eval("WScript.CreateObject(\"WScript.Shell\").Run(\"calc.exe\");");
Perfview - Used to dump the instrumentation manifest for the AMSI ETW provider using the following command:
PerfView.exe /nogui userCommand DumpRegisteredManifest Microsoft-Antimalware-Scan-Interface
WEPExplore - Visual UI for inspecting ETW provider manifests
Validate that AMSI is configured to collect on all VBA macros:
Get-ItemPropertyValue -Path HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\ -Name MacroRuntimeScanScope
A value of 2
indicates that AMSI scanning is enabled for all docs. Reference
Start an AMSI ETW trace:
logman --% start AMSITrace -p Microsoft-Antimalware-Scan-Interface (Event1) 0x4 -o AMSITrace.etl -ets
Stop an AMSI ETW trace:
logman stop AMSITrace -ets
Note: --%
is used to tell PowerShell to stop interpreting the command line for inline PS code
PS function to cleanup the output of Get-WinEvent for interpreting AMSI trace data:
function Get-AMSITraceEvent {
param (
[Parameter(Mandatory)]
[String]
$FilePath
)
Get-WinEvent -Path $FilePath -Oldest -FilterXPath '*[System[EventID = 1101]]' | ForEach-Object {
switch ($_.Properties[2].Value) {
0 { $ScanResult = 'AMSI_RESULT_CLEAN' }
1 { $ScanResult = 'AMSI_RESULT_NOT_DETECTED' }
32768 { $ScanResult = 'AMSI_RESULT_DETECTED' }
default { $ScanResult = $_.Properties[2].Value }
}
$ObjectProperties = [Ordered] @{
TimeCreated = $_.TimeCreated
ProcessId = $_.ProcessId
ThreadId = $_.ThreadId
Session = $_.Properties[0].Value
ScanStatus = $_.Properties[1].Value
ScanResult = $ScanResult
AppName = $_.Properties[3].Value
ContentName = $_.Properties[4].Value
ContentSize = $_.Properties[5].Value
OriginalSize = $_.Properties[6].Value
Content = ([Text.Encoding]::Unicode.GetString($_.Properties[7].Value))
Hash = (($_.Properties[8].Value | % { '{0:X2}' -f $_ }) -join '')
ContentFiltered = $_.Properties[9].Value
}
New-Object -TypeName psobject -Property $ObjectProperties
}
}