PowerShell CLM

The goal of CLM is to enable users to use most PowerShell language features and only execute functions / cmdlets approved by a local policy while preventing the use of PowerShell to achieve arbitrary, unsigned code execution. Any piece of code that is within the policy's constraints runs in FullLanguage mode.

Usually CLM is enforced by AppLocker, Device Guard, JEA or __PSLockdownPolicy being set to 4 (although this might be the weakest of the available options).

One way to bypass CLM is to hunt for injectable code, this can be done with a module called InjectionHunter

Install-Module -Name InjectionHunter

ls C:\* -Include '*.ps1', '*.psm1' -Recurse | % { Invoke-ScriptAnalyzer -Path $_.FullName -CustomizedRulePath (Get-Module -ListAvailable -Name InjectionHunter).Path -ExcludeRule PS* }

The contents of InjectionHunter.ps1 are "just"

ls C:\* -Include '*.ps1', '*.psm1' -Recurse | % { Invoke-ScriptAnalyzer -Path $_ -CustomizedRulePath (Get-Module -ListAvailable -Name InjectionHunter).Path -ExcludeRule PS* }
PreviousScriptblock LoggingNextAMSI

Last updated