ThreatCheck :: My notes and snippets

> Cheat Sheets > Tools > ThreatCheck

ThreatCheck

Installation

git clone https://github.com/rasta-mouse/ThreatCheck
# and build using visual studio

Usage

ThreatCheck.exe [FILE] [OPTIONS]

Determine the line(s) of code that are being flagged by Defender.

Obfuscate the detected line(s) of code so it is no longer flagged by Defender.

Flags

  -e, --engine    (Default: Defender) Scanning engine. Options: Defender, AMSI
  -f, --file      Analyze a file on disk
  -u, --url       Analyze a file from a URL
  --help          Display this help screen.
  --version       Display version information.

Examples

Check local covenant grunt with AMSI

Only uses in-memory script scanning engine.

ThreatCheck.exe -f Downloads\Grunt.bin -e AMSI

Check local covenant grunt with Defender

Temporarily writes file to disk.

ThreatCheck.exe -f Downloads\Grunt.bin -e Defender

Name	Description
Malware Test VM	Test VM that ensures that no samples leave the system.
AMSITrigger	AMSITrigger is a tool to identify malicious strings in PowerShell files.

Also see

N/A