GitHub

unloading_amsi_via_reflection.yml

description: The following analytic detects the tampering of AMSI (Antimalware Scan Interface) via PowerShell reflection. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and ...
GitHub

m1-web-01-iis_setupwizard_302.log

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken 2024-02-21 02:13: ...