1. What Is InviShell (High-Level Overview)
InviShell is a red team–focused PowerShell execution framework designed to reduce visibility during PowerShell usage. Its core purpose is to execute PowerShell commands without triggering common logging mechanisms that defenders rely on.
In simple terms, normal PowerShell loudly reports what it is doing, while InviShell tries to run PowerShell in a quiet mode.
2. Why PowerShell Is Heavily Monitored
PowerShell is widely abused by attackers, so Microsoft added multiple security layers to monitor it. These layers do not block PowerShell by default, but they record activity so defenders can investigate later.
The most commonly monitored PowerShell security features are Script Block Logging, Module Logging, AMSI scanning, and Transcription.
3. Understanding Script Block Logging
Script Block Logging records every PowerShell command and script that gets executed. Even if a command is encoded or obfuscated, PowerShell logs the decoded version.
From a blue team perspective, this is extremely powerful because it exposes attacker behavior clearly.
Example defender-side log output (simplified):
Event ID: 4104
ScriptBlockText:
Invoke-Command -ScriptBlock {...}
This log is often the first indicator of malicious PowerShell activity.
4. How InviShell Bypasses Script Block Logging (Conceptual)
InviShell works by interfering with how PowerShell initializes its logging engine. Script Block Logging depends on certain internal PowerShell components being loaded correctly.
InviShell launches PowerShell in a way where these components either fail to load or never activate fully. Because of this, PowerShell executes commands, but nothing meaningful gets written to Event ID 4104.
Expected defender view after bypass:
No ScriptBlock logging events generated
This does not mean PowerShell is invisible, but one of the strongest logs is now missing.
5. Understanding AMSI (Antimalware Scan Interface)
AMSI is responsible for scanning PowerShell commands before execution. It sends script content to antivirus and EDR engines to detect malicious behavior.
Normally, if suspicious code is detected, AMSI can block execution or raise alerts.
Example normal AMSI detection flow:
PowerShell Script → AMSI → AV/EDR → Alert or Block
6. How InviShell Avoids AMSI Scanning (Conceptual)
InviShell avoids AMSI by ensuring PowerShell code runs in a context where AMSI hooks are not properly applied. This is usually done by executing PowerShell in a modified runtime state.
As a result, commands execute without being scanned by AMSI.
Expected behavior from defender tools:
No AMSI scan events observed
No malware verdict triggered
This is one reason InviShell is popular in red team simulations.
7.Learn More From the Official InviShell Repository
If you want to deeply understand how InviShell works internally, the best place to study it is the official open-source repository. This repository contains the source code, documentation, and usage explanations that help both red teamers and defenders understand the technique.
You can find the repository here:
https://github.com/OmerYa/Invisi-Shell
