Scripts

This feature is available only on Windows 10 endpoint machines.

EEI uses AMSI to get the content of scripts executed on Agent machines through Endpoint Security.

Agent machine needs EES 7.2 or higher with AMSI option enabled, and it can be set in Advanced Settings > Detection Engine > Advanced Options section. It should be enabled by default.

On Windows 10, AMSI provides us information about:

PowerShell (scripts, interactive use, and dynamic code evaluation)

Windows Script Host (wscript.exe and cscript.exe)

JavaScript and VBScript

Office VBA macros

important

Important

To detect suspicious VBA scripts on monitored machines, EEI needs Office 365 version 1808 and enabled macro scanning. To enable the macro scanning, the user should set the HKEY_CURRENT_USER\Software\Microsoft\Office\%VERSION%\Common\Security\MacroRuntimeScanScope register value to 1 or run the following script in the command line:

 

powershell.exe -command "if (Test-Path -Path HKCU:\Software\Microsoft\Office) { foreach ($reg_path in Get-ChildItem -Path HKCU:\Software\Microsoft\Office | Where-Object {($_.Name.Contains(\".\"))}) { $reg_sub_path = (Join-Path -Path $reg_path.Name -ChildPath '').Replace(\"HKEY_CURRENT_USER\", \"HKCU:\"); $reg_sub_path_common = (Join-Path -Path $reg_path.Name -ChildPath 'Common').Replace(\"HKEY_CURRENT_USER\", \"HKCU:\"); $reg_sub_path_common_security = (Join-Path -Path $reg_path.Name -ChildPath 'Common\Security').Replace(\"HKEY_CURRENT_USER\", \"HKCU:\"); if (!(Test-Path -Path $reg_sub_path_common)) { New-Item –Path $reg_sub_path –Name \"Common\"; } if (!(Test-Path -Path $reg_sub_path_common_security)) { New-Item –Path $reg_sub_path_common –Name \"Security\"; } Set-ItemProperty -Path $reg_sub_path_common_security -Name \"MacroRuntimeScanScope\" -Value 1; }}"

That means that any script mentioned above that was run on the Agent machine displays content in the EEI Server Web console.