## Malware Sample Inspected

Trickbot COVID macro lure [via MSFT](https://twitter.com/MsftSecIntel/status/1251181180281450498): [`ec34b207d503a3c95ee743ee296a08e93a5e960aa4611ea8c39d8e5d4c5f6593`](https://www.virustotal.com/gui/file/ec34b207d503a3c95ee743ee296a08e93a5e960aa4611ea8c39d8e5d4c5f6593/details)

`test.js`

```
eval("WScript.CreateObject(\"WScript.Shell\").Run(\"calc.exe\");");
```

## Tools Used

[Perfview](https://github.com/microsoft/perfview/releases) - Used to dump the instrumentation manifest for the AMSI ETW provider using the following command:

`PerfView.exe /nogui userCommand DumpRegisteredManifest Microsoft-Antimalware-Scan-Interface`

[WEPExplore](https://github.com/lallousx86/WinTools/blob/master/WEPExplorer/Binaries/WEPExplore_v1.2.zip) - Visual UI for inspecting ETW provider manifests

## Commands Issued

Validate that AMSI is configured to collect on all VBA macros:

```powershell
Get-ItemPropertyValue -Path HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\Common\Security\ -Name MacroRuntimeScanScope
```

A value of `2` indicates that AMSI scanning is enabled for all docs. [Reference](https://getadmx.com/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope)

Start an AMSI ETW trace:

```powershell
logman --% start AMSITrace -p Microsoft-Antimalware-Scan-Interface (Event1) 0x4 -o AMSITrace.etl -ets
```

Stop an AMSI ETW trace:

```
logman stop AMSITrace -ets
```

Note: `--%` is used to tell PowerShell to stop interpreting the command line for inline PS code

PS function to cleanup the output of Get-WinEvent for interpreting AMSI trace data:

```powershell
function Get-AMSITraceEvent {
    param (
        [Parameter(Mandatory)]
        [String]
        $FilePath
    )

    Get-WinEvent -Path $FilePath -Oldest -FilterXPath '*[System[EventID = 1101]]' | ForEach-Object {

        switch ($_.Properties[2].Value) {
            0 { $ScanResult = 'AMSI_RESULT_CLEAN' }
            1 { $ScanResult = 'AMSI_RESULT_NOT_DETECTED' }
            32768 { $ScanResult = 'AMSI_RESULT_DETECTED' }
            default { $ScanResult = $_.Properties[2].Value }
        }

        $ObjectProperties = [Ordered] @{
            TimeCreated = $_.TimeCreated
            ProcessId = $_.ProcessId
            ThreadId = $_.ThreadId
            Session = $_.Properties[0].Value
            ScanStatus = $_.Properties[1].Value
            ScanResult = $ScanResult
            AppName = $_.Properties[3].Value
            ContentName = $_.Properties[4].Value
            ContentSize = $_.Properties[5].Value
            OriginalSize = $_.Properties[6].Value
            Content = ([Text.Encoding]::Unicode.GetString($_.Properties[7].Value))
            Hash = (($_.Properties[8].Value | % { '{0:X2}' -f $_ }) -join '')
            ContentFiltered = $_.Properties[9].Value
        }

        New-Object -TypeName psobject -Property $ObjectProperties
    }
}
```

## Additional References

* [Windows Script Host (WSH) keywords explicitly considered w/ AMSI](https://twitter.com/KyleHanslovan/status/1083344377404186625)
* [Antimalware Scan Interface Detection Optics Analysis Methodology: Identification and Analysis of AMSI for WMI](https://posts.specterops.io/antimalware-scan-interface-detection-optics-analysis-methodology-858c37c38383)