Saturday, May 17, 2025

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Kusto Query LanguageMicrosoft Defender for EndpointMicrosoft SentinelSECURE

List Anti-malware Scan Interface Script Detection

Wayne Andes 3 min read

Description

The Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product that’s present on a machine. AMSI provides enhanced malware protection for your end-users and their data, applications, and workloads.

This KQL query lists all AmsiScriptDetection events that happened in your tenant. Note that those events do not necessary results in incidents in Defender For Endpoint, therefore it is recommended to monitor or report on those actions.

Risk

An adversary uses PowerShell to execute malicious scripts in which AMSI detects the script. Since this does not have to be alerted, the adversary might still be unnoticed in your network.

Query

Microsoft Defender For Endpoint
Kusto
DeviceEvents
| where ActionType == "AmsiScriptDetection"
| extend Description = tostring(parse_json(AdditionalFields).Description)
| project Timestamp, DeviceName, InitiatingProcessCommandLine, Description

Microsoft Sentinel
Kusto
DeviceEvents
| where ActionType == "AmsiScriptDetection"
| extend Description = tostring(parse_json(AdditionalFields).Description)
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, Description

References

You May Also Like

List Adware Not Blocked By Symantec Endpoint Protection

Wayne Andes

List Total Successful Sign-Ins By Operating System

Wayne Andes

List QR Code URLs in Delivered Inbound Email Messages Detected By by Microsoft Defender XDR

Wayne Andes

Leave a Reply

Your email address will not be published. Required fields are marked *