Fileless script load events collected through integration with Windows AMSI can be reported in the console and forwarded through the Event Forwarder in JSON and LEEF.
To see the raw AMSI data in the console, you can expand a fileless_scriptload
event. The metadata that the fileless script load event captures includes the unique SHA-256 hash of the fileless script load event, the command length, and the command line content (which can be expanded to view the full content if it is truncated).
Carbon Black EDR Windows sensors perform asynchronous RPC calls; the sensor captures commands and script contents that PowerShell executes.