Site icon Franky's Web

Read AMSI log files with the PowerShell

Frank Zöchling

In a previous article I described where the AMSI log files of the Exchange server can be found. Since the logs are stored locally on the Exchange server, the logs are of little use if nobody reads them and attacks are only detected when it is too late.

Of course, it would be best to have the logs recorded by a SIEM system and to be alerted accordingly if more entries appear in the logs.

However, the logs can also be read in a simple way with PowerShell and thus processed further as required. I have created a small PowerShell function to evaluate the AMSI or HttpRequestFiltering logs:

function Get-HttpRequestFilteringLogs {
    <#
    .SYNOPSIS
        Identifies and reports malicious events detected by AMSI from Exchange Server HttpRequestFiltering Logs.
    .DESCRIPTION
        Get-HttpRequestFilteringLogs is an advanced PowerShell function that parses Exchange Server HttpRequestFiltering
        logs to determine what Outlook client versions are being used to access the Exchange Server.
    .PARAMETER LogFile
        The path to the Exchange HttpRequestFilteringLogs log files.
    .EXAMPLE
         Get-HttpRequestFilteringLogs -LogFile 'C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpRequestFiltering\HttpRequestFiltering_2021072318-1.LOG'
    .EXAMPLE
         $AMSILogs = Get-ChildItem -Path '\\servername\c$\Program Files\Microsoft\Exchange Server\V15\Logging\HttpRequestFiltering\*.log'
         $AMSILogs | Get-HttpRequestFilteringLogs | Out-GridView -Title 'AMSI Events'
    .INPUTS
        String
    .OUTPUTS
        PSCustomObject
    .NOTES
		Author:  Frank Zoechling
		Website: https://www.frankysweb.de
		Twitter: @FrankysWeb
    #>
    [CmdletBinding()]
        param (
            [Parameter(Mandatory,
                       ValueFromPipeline)]
            [ValidateScript({
                Test-Path -Path $_ -PathType Leaf -Include '*.log'
            })]
            [string[]]$LogFile
        )
        PROCESS {
            foreach ($file in $LogFile) {
                $Headers = (Get-Content -Path $file -TotalCount 6 | Where-Object {$_ -like '#Fields*'}) -replace '#Fields: ' -split ','
                Import-Csv -Header $Headers -Path $file |
                Where-Object {$_.ScanResult -eq 'Detected'}
            }
        }
}

The function can be easily added to PowerShell and then used:

I have provided corresponding examples for the syntax:

Get-Help Get-HttpRequestFilteringLogs -Examples

The function can be used to read individual log files or several log files, example 1 shows a single log file, the second example shows the reading of several log files. Here is an example:

In this way, logs within a certain period can be filtered and read in and the output displayed in a GridView. Here, for example, the logs of the last 7 days:

Get-ChildItem *.log | where {$_.LastWriteTime -gt ((get-date).AddDays(-7))} | Get-HttpRequestFilteringLogs | Out-GridView

The result then looks like this, for example:

In this way, the AMSI logs can also be sent to other systems and processed further.

Exit mobile version