PowerShell Script Block Logging

PowerShell Script Block Logging

Tristan Bennett Tristan Bennett

Tristan Bennett

Published Oct 23, 2018
+ Follow

PowerShell’s “Script Block Logging” is still so trivial to bypass, so for anyone playing with post exploitation tools and wondering why logging stops it’s likely due to this code snippet;

$GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 0

$GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging'] = 0

This basically sets a cached value held by PowerShell to disable the logging no matter the currently applied Group Policy settings. Really annoying when you wanna see what's being run inside some really interesting PowerShell modules such as PowerSploit and anything within the Empire framework. Here is the standard Empire stager which implements the bypass.

This type of event is generally the last you'll see for that session in the PowerShell event log. However the nasty thing from a monitoring point of view is that other sessions are not affected. Therefore you'll continue to receive events from other sessions but not the naughty one. So we can't event monitor for the logs going quiet with any degree of confidence.

We can however monitor for the "EnableScriptBlockLogging" and "EnableScriptBlockInvocationLogging" strings to give an indication that there was an attempt to alter these values. Other than that we are really waiting for a patch from Microsoft on this one.

There are other things we can do in order to see what happens afterwards such as;

  • Enable PowerShell transcription logging. This will log PowerShell details to a text file so you can see what's being executed and this does not appear to be susceptible to such a trivial bypass.
  • Edit the script your running to either remove the bypass or set the PowerShell cached dictionary entries to "1". Doing it PowerShell is easy enough or CyberChef is brilliant for this type of stuff, link below.
  • Rely on Pipeline Execution Events generated by enabling "Module Logging" these are still pretty good from a monitoring point of view but generally contain less information.

Hopefully Microsoft patches this sooner rather than later.


To view or add a comment, sign in

More articles by Tristan Bennett

  • Command Obfuscation
    May 5, 2025

    Command Obfuscation

    Recently a great resource was released for command obfuscation - https://argfuscator.net/ Which came about from a…

  • certsync Research
    Feb 6, 2023

    certsync Research

    Summary A new technique has been discovered for remotely dumping passwords from a Domain Controller without needing to…

    1 Comment
  • CVE-2022-26923 - Attack and Detections
    May 16, 2022

    CVE-2022-26923 - Attack and Detections

    SUMMARY Microsoft released a patch for an issue that can be exploited within a Domain environment running Certificate…

    1 Comment
  • Playing With Empire 3 - Part 2
    Jul 13, 2020

    Playing With Empire 3 - Part 2

    Updated - Setup Kali 2020 & Empire 3 BC-SECURITY took over development of Empire sometime in 2019 and have continued to…

  • Mining With SQLs
    Jun 3, 2020

    Mining With SQLs

    RDP, NSSM, Install.bat, Update.

  • Playing With Empire - Part 1
    Dec 3, 2019

    Playing With Empire - Part 1

    Even though Empire is no longer being actively developed, it's still well worth having in your development/research…

See all articles

Others also viewed

Explore content categories