EDR: How to Enable AMSI Fileless_Script Capture
search cancel

EDR: How to Enable AMSI Fileless_Script Capture

book

Article ID: 285640

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Enable the collection of AMSI fileless_scriptload event data.

Environment

  • EDR: Server: 7.6+

Resolution

Enable AMSI events in the Carbon Black EDR Console by toggling the collection of AMSI events per sensor group:
  1. On the navigation bar, click Sensors.
  2. Select the sensor group.
  3. In the Event Collection Settings section, select the checkbox for Fileless script loads.
  4. Click Save Group.

Additional Information

  • AMSI event capture is disabled by default.
  • The fileless_scriptload event leverages the Anti-Malware Scanning Interface (AMSI)support that is available in Windows 10 RS2+ and Windows 2019+.
  • To forward the information to the SIEM, check the box in the Event Forwarder > Events > Sensor > ingress.event.filelessscriptload.
  • File-based scripts are logged locally.
  • At this time this feature collects powershell.exe and not powershell_ise.exe