AMSI buffer normalization

[random-npc-glitch]

Summary of the new feature / enhancement

I have noticed that AMSI scan buffers can contain escape characters and that aliases are not resolved to the base cmdlet name. Both of these are problematic for signature writers and seem best addressed from within the powershell code base itself.

Examples:

   logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets
   powershell -c get-pro`cess
   powershell -c get-pro''cess
   powershell -c g`et-pro""cess
   powershell -c p`s
   powershell -c gp`s
   powershell -c "(('67 65 74 2D 70 72 6F 60 63 65 73' -split ' ' |ForEach-Object {[char][byte]\"0x$_\"}) -join '')+[char]0x73  | iex"
   logman stop AMSITrace -ets

Then run Get-AmsiEvent on the AMSITrace.etl output file
(https://gist.github.com/mgraeber-rc/1eb42d3ec9c2f677e70bb14c3b7b5c9c)

Content         : get-pro`cess
Content         : gp`s
 
(same for pwsh.exe)
pwsh -c gp`s
AppName         : PowerShell_C:\Program Files\PowerShell\7\pwsh.exe_7.4.4
Content         : gp`s

Vendor specific signature languages working on the content buffers can not know arbitrary aliases, implement full syntax parsers, or keep up with new language features.

Once a script is fully parsed and held as AST is there any framework to reconstruct the normalized source from that? Seems that could strip alias and escape char complexities.

Proposed technical implementation details (optional)

No response

[rhubarb-geek-nz]

Quis custodiet ipsos custodes?

Should you also expand variable values, wildcards and symbolic links?

Let me know when AMSI integration is optional like script signature validation, ssl certificate validation and passwords over clear text http.

[SydneyhSmith]

The purpose of AMSI is to pass in the original buffer, if you need this you can use AST parsing...thanks!

[microsoft-github-policy-service]

This issue has been marked as by-design and has not had any activity for 1 day. It has been closed for housekeeping purposes.

[microsoft-github-policy-service]

📣 Hey @random-npc-glitch, how did we do? We would love to hear your feedback with the link below! 🗣️

🔗 https://aka.ms/PSRepoFeedback

Microsoft Forms

[random-npc-glitch]

ok thanks i understand. Powershell is highly mutable making raw buffers low value when it comes to malware signatures.

I was just thinking that since the script will eventually already be going through a full ast parsing on the script engine side there is likely a place where a higher value output would be available for delivery with little extra cost.

Script engine authors are also the defacto experts with their creation, the only ones who can keep up with new evolution's of the language and have all the relevant code already in process.

Event consumers have a multitude of AMSI sources to process, being an expert in each language implementation and having a normalizer at parity with the vendor implementation (including possible quirks) is a lot.