Finding AMSI Signatures

Using PSAmsi, we can search for and find the exact strings within a script that are flagged by the AMSI!

The easiest way to do this is with Find-AmsiSignatures:

PS > $AmsiSignatures = Find-AmsiSignatures -ScriptUri 'https://github.com/PowerShellMafia/PowerSploit/raw/master/Exfiltration/Invoke-Mimikatz'
PS > $AmsiSignatures.Count
7

Like all functions that accept a Script as input in PSAmsi, the Find-AmsiSignatures function accepts either a String, Path, Uri, or ScriptBlock using the -ScriptString, -ScriptPath, -ScriptUri, or -ScriptBlock parameters.

For example:

PS > $AmsiSignatures = Find-AmsiSignatures -ScriptUri 'https://github.com/PowerShellMafia/PowerSploit/raw/master/Exfiltration/Invoke-Mimikatz'
PS > $AmsiSignatures.Count
7
PS > $AmsiSignatures = Find-AmsiSignatures -ScriptString 'example'
PS > $AmsiSignatures = Find-AmsiSignatures -ScriptPath './EvilScript.ps1'
PS > $AmsiSignatures = Find-AmsiSignatures -ScriptBlock { 'test' }

Additionally, Find-AmsiSignatures can take the AbstractSyntaxTree and PSTokens that represent a script, if you happen to have those.

PS > $AmsiSignatures = Find-AmsiSignatures -AbstractSyntaxTree (Get-Ast -ScriptString $String) -PSTokens (Get-PSTokens -ScriptString $String)

You can also retrieve all of the Asts (AbstractSyntaxTree) or PSTokens within a script that are flagged by AMSI!

PS > $AmsiAstSignatures = Find-AmsiAstSignatures -ScriptString $malware
PS > $AmsiPSTokenSignatures = Get-AmsiPSTokenSignatures -ScriptString $malware

Find-AmsiSignatures is really just a wrapper for these functions that does de-duplication for you. So watch out for duplicates from Find-AmsiAstSignatures and Find-AmsiPSTokenSignatures.