Defender for Endpoint - AmsiScript Execution - Decode PowerShell commands
MDE Amsi Script Detection
Query
// Decode PowerShell AmsiScriptDetection's
DeviceEvents
| where ActionType == @"AmsiScriptDetection"
| extend EncodedCommand = extract(@'\s+([A-Za-z0-9+/]{20}\S+$)', 1, InitiatingProcessCommandLine)
| extend DecodedCommand = base64_decode_tostring(EncodedCommand)
| where isnotempty( DecodedCommand)
| project Timestamp, DeviceName, InitiatingProcessFileName,FileName,DecodedCommandAbout this query
Defender for Endpoint - AmsiScript Execution - Decode PowerShell commands
Query Information
Description
Run the below KQL query to decode powershell commands detected by AMSI
References
Microsoft 365 Defender
Explanation
This query is used to decode PowerShell commands that have been detected by AMSI (Antimalware Scan Interface). It retrieves events from the DeviceEvents table where the ActionType is "AmsiScriptDetection". It then extracts the encoded command from the InitiatingProcessCommandLine using a regular expression and decodes it using the base64_decode_tostring function. The query filters out any empty decoded commands and projects the Timestamp, DeviceName, InitiatingProcessFileName, FileName, and DecodedCommand fields.
Details

Alex Verboon
Released: June 4, 2023
Tables
DeviceEvents
Keywords
DevicesIntuneUserQueryKQL
Operators
whereextendextractbase64_decode_tostringisnotemptyproject