AppLocker CLM Bypass via COM

Constrained Language Mode is a method of restricting Powershell’s access to functionality such as Add-Type, or many of the reflective methods which can be used to leverage the Powershell runtime as a launchbed for post-exploitation tooling.

Despite what Microsoft may claim, this feature is very much being used as a security control, providing defenders with the ability to stop tools such as “Invoke-Mimikatz” from executing due to the heavy reliance on reflection techniques .

As I was getting ready to complete an engagement in an environment enforcing Constrained Language Mode, I wanted to take a quick look at any potential ways around this protection should it be needed. I spun up a Windows 10 instance and configured CLM via the default rule set. In this post I will show the results of this research and a possible way of bypassing this protection as a non-admin user.

Read the full post over on MDSec’s blog here.