PowerShell ScriptBlock Logging Bypass

In Windows 10 / PowerShell 5.0, Microsoft introduced several new security features in PowerShell. These included the AMSI, Protected Event Logging, and maybe most importantly ScriptBlock logging. The comprehensive ScriptBlock logging now available in PowerShell has presented serious problems for attackers. Now, it is possible for defenders to have access to full logs recording all of an attacker’s malicious PowerShell activity. This has caused some to even suggest that the offensive community should move away from PowerShell altogether.

More …

ObfuscatedEmpire - Use an obfuscated, in-memory PowerShell C2 channel to evade AV signatures

ObfuscatedEmpire is an integration of two fantastic projects, Invoke-Obfuscation and Empire. If you aren’t already familiar with those projects, you really should go check them out first. But here’s a quick summary for those who are unfamiliar:

  • Empire is a PowerShell post-exploitation agent. It’s a powerful tool for attackers as it allows for a C2 channel to be run completely in-memory, without any malicious code touching disk, rendering traditional AV techniques ineffective.
  • Invoke-Obfuscation is a PowerShell script obfuscator. As the use of in-memory PowerShell malware has grown, implementation of in-memory AV scanning of PowerShell scripts has begun. Invoke-Obfuscation challenges all assumptions these in-memory PowerShell AV signatures have been making.
More …