SOLVED

AmsiScriptContent not under DeviceEvents table? MITRE Eval 2022

New Contributor

I was going through the MITRE eval results for 2022.

 

One of the queries for script executions is documented as a DeviceEvent table search for ActionType "AmsiScriptContent". Looks like a very useful log source.

 

However, I was not able to replicate this query in my own environment. There is 0 results for "AmsiScriptContent" anywhere in the schema or online.

 

Would be grateful if anyone can confirm they are able to replicate this query or not. 

 

References:

 

 

  1. Command and Scripting Interpreter (T1059) https://attackevalscdnendpoint.azureedge.net/publicsiteima... 
  2. https://attackevals.mitre-engenuity.org/enterprise/participants/microsoft?view=results&adversary=wiz...
3 Replies
I also get 0 results. Perhaps this event only registers when AMSI tags something
best response confirmed by Hamza_Bilal (New Contributor)
Solution
Scratch that. The ActionType is now just 'ScriptContent'

Under which table? DeviceEvents? Update: You nailed it. It is indeed changed to ScriptContent ActionType under DeviceEvents Table.

It is not documented in the schema though... :happyface: