Ever since the introduction of PowerShell v5, there have been less usage of the application specifically among threat actors, penetration testers and red teamers.

This is because PowerShell v5 introduced PowerShell security logging which allows Blue teams with additional options to prevent powershell based threats.

There were several techniques introduced later to bypass this PowerShell security logging like AMSI (Antimalware Scan Interface) bypasses and ScriptBlock logging bypasses.

However, all of these techniques involved completely disabling the logging instead of spoofing the logs.

Scan Your Business Email Inbox to Find Advanced Email Threats – Try AI-Powered Free Threat Scan

Researchers have discovered a new technique whith does not require any reflection or memory patching to be executed and that it can spoof any arbitrary message into the ScriptBlock logs while bypassing AMSI.

As an added fact, PowerShell uses AST (Abstract Syntax Trees). ASTs are tree-like structures created from source code to machine code via a compiler.

Compiler performing Source code to Machine code by AST (Source:  Pulse/LinkedIn)

Additionally, all the language compilers work in a similar way when there is a creation of ScriptBlock within PowerShell. The parent node for all the PowerShell AST is the ScriptBlock.

One of the properties used in the ScriptBlock AST is the Extent which isa string representation of our ScriptBlock.

ScriptBlock Smuggling

According to the reports shared with Cyber Security News, all the security features within the PowerShell pass only the Extent of the ScriptBlock.

Further, whenever a ScriptBlock is creating by wrapping a {} or using  [ScriptBlock]::create() the AST and subsequently the Extent are automatically generated. This can be used to build a custom AST.

The ScriptBlocks are not logged until the first time the ScriptBlock is executed. To prove this theory, researchers created a log-like Write-Output ‘Hello’ which originally executed the Write-Output ‘World’.

In addition, the executed code was not observed by the logs or AMSI. 

Logs not observed (Source: Pulse/LinkedIn)

Another test was conducted by creating a ScriptBlock with C# which executed Write-Output ‘amsicontext’ demonstrating the ability to bypass AMSI without needing any patching or reflection. 

C# based ScriptBlock (Source: Pulse/LinkedIn)

This particular behaviour can be leveraged as a basic AMSI bypass but this technique can be escalated to critical things like command hooking.

ScriptBlock smuggling allows users to spoof PowerShell security logs which will allow an unauthenticated user or threat actor to bypass all kinds of AV and EDR detections.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free