Powershell auditing: easy bypasses

2021-01-05 15:44:00

While I'm making my way through lab L1120 of BHIS' "Applied Purple Teaming" course, I noticed something interesting: none of my nefarious commands were showing up in HELK, despite me having enabled Powershell logging through a GPO.

In this lab, we're grabbing Sharphound.ps1 from the Bloodhound project, and either download and run it, or just load it into memory using Invoke-Expression. But none of that stuff was showing up in my Kibana dashboard, despite a "whoami" run from Powershell appearing correctly.

That's when I learned that A) downgrading your session to Powershell 2 kills all your logging, B) most of what you run in Powershell ISE (a script editor) is flat-out never logged. In my case: I make it a habit to work inside ISE, because I can easily edit script blocks.

See also this excellent blog post from 2018.

Luckily you can disable Powershell 2 with a GPO (which could end up breaking older scripts). But with regards to ISE: you'll have to completely uninstall, or deny-list it... if possible.


Based on this article by Microsoft themselves, it seems that turning on transcription will also work on Powershell ISE. I'll need to investigate a bit deeper... See if I haven't misconfigured my setup.


Yeah. The Powershell 2 logging bypass is valid, but the lack of logging through Powershell ISE was a case of #PEBCAK. 

kilala.nl tags: , ,

View or add comments (curr. 0)