Query Details
MDE Amsi Script Detection
Query
# Defender for Endpoint - AmsiScript Execution - Decode PowerShell commands
## Query Information
### Description
Run the below KQL query to decode powershell commands detected by AMSI
### References
### Microsoft 365 Defender
```Kusto
// Decode PowerShell AmsiScriptDetection's
DeviceEvents
| where ActionType == @"AmsiScriptDetection"
| extend EncodedCommand = extract(@'\s+([A-Za-z0-9+/]{20}\S+$)', 1, InitiatingProcessCommandLine)
| extend DecodedCommand = base64_decode_tostring(EncodedCommand)
| where isnotempty( DecodedCommand)
| project Timestamp, DeviceName, InitiatingProcessFileName,FileName,DecodedCommand
```
Explanation
This query is used to decode PowerShell commands that have been detected by AMSI (Antimalware Scan Interface). It retrieves events from the DeviceEvents table where the ActionType is "AmsiScriptDetection". It then extracts the encoded command from the InitiatingProcessCommandLine using a regular expression and decodes it using the base64_decode_tostring function. The query filters out any empty decoded commands and projects the Timestamp, DeviceName, InitiatingProcessFileName, FileName, and DecodedCommand fields.
Details
Alex Verboon
Released: June 4, 2023
Tables
DeviceEvents
Keywords
Devices,Intune,User,Query,KQL
Operators
whereextendextractbase64_decode_tostringisnotemptyproject