Strange behavior or how does Hoaxshell actually work?

[khazovP]

Hello,

I noticed a strange behavior of Hoaxshell. Or maybe it is supposed to work like this, I do not know.

1. Execute Hoaxshell payload on target & receive session
2. On attacker: execute AMSI bypass
3. Output (of bypass script) is printed not on attacker side (in hoaxshell console) but in target's powershell window.
4. AMSI bypass is not actually applied

However, executing the same AMSI bypass directly in powershell window on target works.

Has anyone noticed similar behavior? Or maybe I miss something?