Ever since the introduction of PowerShell v5, there have been less usage of the application specifically among threat actors, penetration testers and red teamers.
This is because PowerShell v5 introduced PowerShell security logging which allows Blue teams with additional options to prevent powershell based threats.
There were several techniques introduced later to bypass this PowerShell security logging like AMSI (Antimalware Scan Interface) bypasses and ScriptBlock logging bypasses.
However, all of these techniques involved completely disabling the logging instead of spoofing the logs.
Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan
Researchers have discovered a new technique whith does not require any reflection or memory patching to be executed and that it can spoof any arbitrary message into the ScriptBlock logs while bypassing AMSI.
As an added fact, PowerShell uses AST (Abstract Syntax Trees). ASTs are tree-like structures created from source code to machine code via a compiler.
Additionally, all the language compilers work in a similar way when there is a creation of ScriptBlock within PowerShell. The parent node for all the PowerShell AST is the ScriptBlock.
One of the properties used in the ScriptBlock AST is the Extent which isa string representation of our ScriptBlock.
According to the reports shared with Cyber Security News, all the security features within the PowerShell pass only the Extent of the ScriptBlock.
Further, whenever a ScriptBlock is creating by wrapping a {} or using [ScriptBlock]::create() the AST and subsequently the Extent are automatically generated. This can be used to build a custom AST.
The ScriptBlocks are not logged until the first time the ScriptBlock is executed. To prove this theory, researchers created a log-like Write-Output ‘Hello’ which originally executed the Write-Output ‘World’.
In addition, the executed code was not observed by the logs or AMSI.
Another test was conducted by creating a ScriptBlock with C# which executed Write-Output ‘amsicontext’ demonstrating the ability to bypass AMSI without needing any patching or reflection.
This particular behaviour can be leveraged as a basic AMSI bypass but this technique can be escalated to critical things like command hooking.
ScriptBlock smuggling allows users to spoof PowerShell security logs which will allow an unauthenticated user or threat actor to bypass all kinds of AV and EDR detections.
Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free
CISA has released a comprehensive cybersecurity advisory detailing how threat actors successfully compromised a U.S.…
Google has issued an urgent security update for its Chrome web browser to address three…
Cybersecurity professionals are facing an unprecedented acceleration in threat actor capabilities as the average breakout…
A sophisticated malware campaign has emerged in the npm ecosystem, utilizing an innovative steganographic technique…
Zloader, a sophisticated Zeus-based modular trojan that first emerged in 2015, has undergone a significant…
A sophisticated malware campaign has emerged that leverages fake online speed test applications to deploy…