AMSITrigger

Installation

git clone https://github.com/RythmStick/AMSITrigger
# and build using visual studio

or download release from https://github.com/RythmStick/AMSITrigger/releases

Place the AMSITrigger.exe and the PS file you want to check in a whitelisted folder.

Usage

.\AmsiTrigger_x64.exe [PowerShell File] [OPTIONS]

Flags

-i, --inputfile=VALUE       Powershell filename
-u, --url=VALUE             URL eg. https://10.1.1.1/Invoke-NinjaCopy.ps1
-f, --format=VALUE          Output Format:
                              1 - Only show Triggers
                              2 - Show Triggers with Line numbers
                              3 - Show Triggers inline with code
                              4 - Show AMSI calls (xmas tree mode)
-d, --debug                 Show Debug Info
-m, --maxsiglength=VALUE    Maximum signature Length to cater for,
                              default=2048
-c, --chunksize=VALUE       Chunk size to send to AMSIScanBuffer,
                              default=4096
-h, -?, --help              Show Help

Examples

Scan local file

.\AmsiTrigger_x64.exe -i virus.ps1

Scan remote file

.\AmsiTrigger_x64.exe -u https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Collectors/SharpHound.ps1
Name Description
Malware Test VM Test VM that ensures that no samples leave the system.
ThreatCheck Modified version of Matterpreter's DefenderCheck. Takes a binary as input (either from a file on disk or a URL), splits it until it pinpoints that exact bytes that the target engine will flag on and prints them to the screen.

Also see