Get AMSI module

This code

obtains the name and CLSID for AMSI via the registry
obtains the name and CLSID for evert registered AMSI provider
obtains the path and signer information for each DLL
identifies if AMSI is loaded and/or initialized in the current process

function Get-AmsiModule {
<#
.SYNOPSIS

Retrieves information about AMSI and each registered AMSI provider.

.DESCRIPTION

Get-AmsiModule retrieves information about AMSI and registered AMSI providers. This is useful for defenders auditing the consistency of AMSI utilization across an environment.

Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause

.EXAMPLE

Get-AmsiModule

.OUTPUTS

AMSI.ModuleInfo

Outputs objects representing information about AMSI itself as well as each registered AMSI provider.

.NOTES

Get-AmsiModule only returns AMSI registrations that correspond to the architecture of the current PowerShell process. To return WOW64 registrations, run 32-bit PowerShell, if desired.
#>

    [CmdletBinding()]
    param()
    
    try {
        # requires PSv3+ due to use of Get-ItemPropertyValue
        Set-StrictMode -Version 3
    } catch {
		# throw a .NET exception instead of a PowerShell one
        throw $_
        return
    }

    $AmsiUtilsType = [PSObject].Assembly.GetType('System.Management.Automation.AmsiUtils')

    if ($AmsiUtilsType) {
        $IsInitialized = $AmsiUtilsType.GetField('AmsiInitialized').GetValue($null) > $null

        if (-not $IsInitialized) {
            Write-Verbose "AMSI is not initialized in the current process. Process ID: $PID"
        }
    } else {
        Write-Verbose 'The System.Management.Automation.AmsiUtils class is not present.'
    }

    # get information for the base AMSI implementation
    # https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/
    $AMSIGuid = '{fdb00e52-a214-4aa1-8fba-4357bb0072ec}'

    $AMSIHKCRPath = "Registry::HKEY_CLASSES_ROOT\CLSID\$AMSIGuid"
    $AMSIName = Get-ItemPropertyValue -Path $AMSIHKCRPath -Name '(default)'
    $AMSIPath = Get-ItemPropertyValue -Path "$AMSIHKCRPath\InprocServer32\" -Name '(default)'

    $AMSIFileInfo = Get-Item -Path $AMSIPath.Trim('"')
    $AMSISignature = Get-AuthenticodeSignature -FilePath $AMSIFileInfo.FullName

    [PSCustomObject] @{
        PSTypeName = 'AMSI.ModuleInfo'
        CLSID = [Guid] $AMSIGuid
        Name = $AMSIName
        Module = $AMSIFileInfo
        Signature = $AMSISignature
    }

    # enumerate every registered AMSI provider
    Get-ChildItem -Path HKLM:\Software\Microsoft\AMSI\Providers -ErrorAction SilentlyContinue | ForEach-Object {
        $ProviderGuid = $_.PSChildName
        $HKCRPath = "Registry::HKEY_CLASSES_ROOT\CLSID\$ProviderGuid"
        $ProviderName = Get-ItemPropertyValue -Path $HKCRPath -Name '(default)'
        $ProviderPath = Get-ItemPropertyValue -Path "$HKCRPath\InprocServer32\" -Name '(default)'
        $AMSIProviderModule = Get-Item -Path $ProviderPath.Trim('"')
        $ProviderSignature = Get-AuthenticodeSignature -FilePath $AMSIProviderModule.FullName

        [PSCustomObject] @{
            PSTypeName = 'AMSI.ModuleInfo'
            CLSID = [Guid] $ProviderGuid
            Name = $ProviderName
            Module = $AMSIProviderModule
            Signature = $ProviderSignature
        }
    }
}

References

PreviousFind signed alternate PowerShell hosts NextGroup processes by user with WMI

Last updated 8 months ago

function Get-AmsiModule { <# .SYNOPSIS Retrieves information about AMSI and each registered AMSI provider. .DESCRIPTION Get-AmsiModule retrieves information about AMSI and registered AMSI providers. This is useful for defenders auditing the consistency of AMSI utilization across an environment. Author: Matthew Graeber (@mattifestation) License: BSD 3-Clause .EXAMPLE Get-AmsiModule .OUTPUTS AMSI.ModuleInfo Outputs objects representing information about AMSI itself as well as each registered AMSI provider. .NOTES Get-AmsiModule only returns AMSI registrations that correspond to the architecture of the current PowerShell process. To return WOW64 registrations, run 32-bit PowerShell, if desired. #> [CmdletBinding()] param() try { # requires PSv3+ due to use of Get-ItemPropertyValue Set-StrictMode -Version 3 } catch { # throw a .NET exception instead of a PowerShell one throw $_ return } $AmsiUtilsType = [PSObject].Assembly.GetType('System.Management.Automation.AmsiUtils') if ($AmsiUtilsType) { $IsInitialized = $AmsiUtilsType.GetField('AmsiInitialized').GetValue($null) > $null if (-not $IsInitialized) { Write-Verbose "AMSI is not initialized in the current process. Process ID: $PID" } } else { Write-Verbose 'The System.Management.Automation.AmsiUtils class is not present.' } # get information for the base AMSI implementation # https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/ $AMSIGuid = '{fdb00e52-a214-4aa1-8fba-4357bb0072ec}' $AMSIHKCRPath = "Registry::HKEY_CLASSES_ROOT\CLSID\$AMSIGuid" $AMSIName = Get-ItemPropertyValue -Path $AMSIHKCRPath -Name '(default)' $AMSIPath = Get-ItemPropertyValue -Path "$AMSIHKCRPath\InprocServer32\" -Name '(default)' $AMSIFileInfo = Get-Item -Path $AMSIPath.Trim('"') $AMSISignature = Get-AuthenticodeSignature -FilePath $AMSIFileInfo.FullName [PSCustomObject] @{ PSTypeName = 'AMSI.ModuleInfo' CLSID = [Guid] $AMSIGuid Name = $AMSIName Module = $AMSIFileInfo Signature = $AMSISignature } # enumerate every registered AMSI provider Get-ChildItem -Path HKLM:\Software\Microsoft\AMSI\Providers -ErrorAction SilentlyContinue | ForEach-Object { $ProviderGuid = $_.PSChildName $HKCRPath = "Registry::HKEY_CLASSES_ROOT\CLSID\$ProviderGuid" $ProviderName = Get-ItemPropertyValue -Path $HKCRPath -Name '(default)' $ProviderPath = Get-ItemPropertyValue -Path "$HKCRPath\InprocServer32\" -Name '(default)' $AMSIProviderModule = Get-Item -Path $ProviderPath.Trim('"') $ProviderSignature = Get-AuthenticodeSignature -FilePath $AMSIProviderModule.FullName [PSCustomObject] @{ PSTypeName = 'AMSI.ModuleInfo' CLSID = [Guid] $ProviderGuid Name = $ProviderName Module = $AMSIProviderModule Signature = $ProviderSignature } } }