Query Details

AMSI Script Detection

AMSI Script Detections

Query

DeviceEvents 
| where ActionType == "AmsiScriptDetection" 
| extend Description = tostring(parse_json(AdditionalFields).Description) 
| project Timestamp, DeviceName, DeviceId, InitiatingProcessCommandLine, Description, ReportId

About this query

Explanation

This query is designed to detect and list events where the Windows Antimalware Scan Interface (AMSI) has identified potentially malicious scripts executed via PowerShell on devices within your network. The query focuses on events labeled as "AmsiScriptDetection," which indicates that AMSI has flagged a script for potential malicious activity.

Here's a breakdown of what the query does:

  1. Data Source: It pulls data from DeviceEvents, which logs various events occurring on devices.

  2. Filter: It specifically looks for events where the ActionType is "AmsiScriptDetection." This means it is filtering for events where AMSI has detected a script that might be harmful.

  3. Data Extraction: The query extracts additional information from the AdditionalFields column, particularly the Description of the event, by parsing it as JSON.

  4. Output: It then selects and displays specific columns of interest:

    • Timestamp/TimeGenerated: The time when the event was logged.
    • DeviceName: The name of the device where the event occurred.
    • DeviceId: The unique identifier of the device.
    • InitiatingProcessCommandLine: The command line that was used to initiate the process, providing context on what script or command was executed.
    • Description: A description of the event, giving more details about what was detected.
    • ReportId: An identifier for the report, which can be used for further investigation or correlation with other events.

The query is useful for monitoring and reporting on potentially malicious script activities detected by AMSI, even if these events do not automatically trigger alerts in Microsoft Defender for Endpoint. This proactive monitoring can help identify adversaries using PowerShell to execute harmful scripts that might otherwise go unnoticed.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: June 8, 2025

Tables

DeviceEvents

Keywords

DeviceEventsAmsiScriptDetectionTimestampDeviceNameDeviceIdInitiatingProcessCommandLineDescriptionReportIdTimeGenerated

Operators

whereextendtostringparse_jsonproject

MITRE Techniques

Actions

GitHub