Detect AMSI Script Attacks Using KQL Query
AMSI script detection KQL query is a crucial tool for monitoring Windows environments where the Antimalware Scan Interface detects potentially malicious PowerShell scripts. This query lists all AMSI script detection events, helping security teams to track script execution attempts flagged by AMSI. Because not all AMSI detections generate Defender for Endpoint incidents, continuous monitoring through KQL ensures no suspicious script goes unnoticed in your network.
Risk
Adversaries often leverage PowerShell to run malicious scripts that AMSI flags but may not trigger alerts or incidents. This stealth tactic allows attackers to operate quietly within your environment, making AMSI script detection monitoring essential to uncover hidden threats and reduce the risk of unnoticed intrusions.
Query
Microsoft Defender For Endpoint
DeviceEvents
| where ActionType == "AmsiScriptDetection"
| extend Description = tostring(parse_json(AdditionalFields).Description)
| project Timestamp, DeviceName, InitiatingProcessCommandLine, DescriptionMicrosoft Sentinel
DeviceEvents
| where ActionType == "AmsiScriptDetection"
| extend Description = tostring(parse_json(AdditionalFields).Description)
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, DescriptionThis KQL script filters device events for those labeled as “AmsiScriptDetection.” It extracts the Description from additional event fields and projects key details like the timestamp, device name, and the PowerShell command line that triggered the detection. This information is vital for security analysts investigating suspicious script activities flagged by AMSI.