A groundbreaking discovery in PowerShell v5 reveals a significant security loophole, altering the landscape for threat actors, penetration testers, and red teamers. Despite the introduction of PowerShell security logging, usage has declined due to this newfound vulnerability. The vulnerability enables adversaries to bypass PowerShell security logs and AMSI, posing a serious threat to cybersecurity defenses.
Traditional techniques for bypassing PowerShell security logging involved disabling the logs entirely, but researchers have now unveiled a novel approach that does not require reflection or memory patching. This technique allows for the spoofing of arbitrary messages into ScriptBlock logs while evading AMSI detection. By leveraging the AST structure and Extent property within PowerShell, threat actors can construct custom ASTs and execute malicious commands without leaving a trace in the security logs.
The implications of ScriptBlock smuggling extend beyond mere evasion of detection mechanisms. This technique enables unauthenticated users or threat actors to bypass AV and EDR detections, potentially leading to more sophisticated attacks like command hooking. The discovery underscores the critical importance of continually assessing and fortifying cybersecurity defenses against evolving threats, particularly those targeting fundamental components of widely used technologies like PowerShell
Reference:
