Forum Discussion

Hamza_Bilal's avatar
Hamza_Bilal
Copper Contributor
Jul 03, 2022
Solved

AmsiScriptContent not under DeviceEvents table? MITRE Eval 2022

I was going through the MITRE eval results for 2022.

 

One of the queries for script executions is documented as a DeviceEvent table search for ActionType "AmsiScriptContent". Looks like a very useful log source.

 

However, I was not able to replicate this query in my own environment. There is 0 results for "AmsiScriptContent" anywhere in the schema or online.

 

Would be grateful if anyone can confirm they are able to replicate this query or not. 

 

References:

 

 

  1. https://attackevalscdnendpoint.azureedge.net/publicsiteimages/WizardSpider-Sandworm_MS_1.A.2_3.png 
  2. https://attackevals.mitre-engenuity.org/enterprise/participants/microsoft?view=results&adversary=wizard-spider-sandworm&scenario=1
  • jbmartin6's avatar
    jbmartin6
    Jul 05, 2022
    Scratch that. The ActionType is now just 'ScriptContent'

3 Replies

  • jbmartin6's avatar
    jbmartin6
    Iron Contributor
    Jul 05, 2022
    I also get 0 results. Perhaps this event only registers when AMSI tags something
    • jbmartin6's avatar
      jbmartin6
      Iron Contributor
      Jul 05, 2022
      Scratch that. The ActionType is now just 'ScriptContent'
      • Hamza_Bilal's avatar
        Hamza_Bilal
        Copper Contributor
        Jul 05, 2022

        Under which table? DeviceEvents? Update: You nailed it. It is indeed changed to ScriptContent ActionType under DeviceEvents Table.

        It is not documented in the schema though... :happyface: