Query Details

Defender for Endpoint - AmsiScript Execution - Decode PowerShell commands

MDE Amsi Script Detection

Query

// Decode PowerShell AmsiScriptDetection's
DeviceEvents  
| where ActionType == @"AmsiScriptDetection"
| extend EncodedCommand = extract(@'\s+([A-Za-z0-9+/]{20}\S+$)', 1, InitiatingProcessCommandLine)
| extend DecodedCommand = base64_decode_tostring(EncodedCommand)
| where isnotempty( DecodedCommand)
| project Timestamp, DeviceName, InitiatingProcessFileName,FileName,DecodedCommand

About this query

Defender for Endpoint - AmsiScript Execution - Decode PowerShell commands

Query Information

Description

Run the below KQL query to decode powershell commands detected by AMSI

References

Microsoft 365 Defender

Explanation

This query is used to decode PowerShell commands that have been detected by AMSI (Antimalware Scan Interface). It retrieves events from the DeviceEvents table where the ActionType is "AmsiScriptDetection". It then extracts the encoded command from the InitiatingProcessCommandLine using a regular expression and decodes it using the base64_decode_tostring function. The query filters out any empty decoded commands and projects the Timestamp, DeviceName, InitiatingProcessFileName, FileName, and DecodedCommand fields.

Details

Alex Verboon profile picture

Alex Verboon

Released: June 4, 2023

Tables

DeviceEvents

Keywords

DevicesIntuneUserQueryKQL

Operators

whereextendextractbase64_decode_tostringisnotemptyproject

Actions

GitHub