PowerShell’s “Script Block Logging” is still so trivial to bypass, so for anyone playing with post exploitation tools and wondering why logging stops it’s likely due to this code snippet;
$GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 0
$GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging'] = 0
This basically sets a cached value held by PowerShell to disable the logging no matter the currently applied Group Policy settings. Really annoying when you wanna see what's being run inside some really interesting PowerShell modules such as PowerSploit and anything within the Empire framework. Here is the standard Empire stager which implements the bypass.
This type of event is generally the last you'll see for that session in the PowerShell event log. However the nasty thing from a monitoring point of view is that other sessions are not affected. Therefore you'll continue to receive events from other sessions but not the naughty one. So we can't event monitor for the logs going quiet with any degree of confidence.
We can however monitor for the "EnableScriptBlockLogging" and "EnableScriptBlockInvocationLogging" strings to give an indication that there was an attempt to alter these values. Other than that we are really waiting for a patch from Microsoft on this one.
There are other things we can do in order to see what happens afterwards such as;
- Enable PowerShell transcription logging. This will log PowerShell details to a text file so you can see what's being executed and this does not appear to be susceptible to such a trivial bypass.
- Edit the script your running to either remove the bypass or set the PowerShell cached dictionary entries to "1". Doing it PowerShell is easy enough or CyberChef is brilliant for this type of stuff, link below.
- Rely on Pipeline Execution Events generated by enabling "Module Logging" these are still pretty good from a monitoring point of view but generally contain less information.
Hopefully Microsoft patches this sooner rather than later.
Some Useful Resources
CyberChef - The Cyber Swiss Army Knife
A simple, intuitive web app for analysing and decoding data without having to deal with complex tools or programming languages. CyberChef encourages both technical and non-technical people to explore data formats, encryption and compression.
PowerShell ScriptBlock Logging Bypass
In Windows 10 / PowerShell 5.0, Microsoft introduced several new security features in PowerShell. These included the AMSI, Protected Event Logging, and maybe most importantly ScriptBlock logging. The comprehensive ScriptBlock logging now available in PowerShell has presented serious problems for attackers. Now, it is possible for defenders to have access to full logs recording all of an attacker’s malicious PowerShell activity. This has caused some to even suggest that the offensive community should move away from PowerShell altogether.
PowerShell Encoding & Decoding (Base64)
PowerShell provides an easy method for Base64 encoding and decoding.