offensive security
Powershell Constrained Language Mode ByPass
Understanding ConstrainedLanguageMode
Constrained Language Mode in short locks down the nice features of Powershell usually required for complex attacks to be carried out.
Powershell Inside Powershell
For fun - creating another powershell instance inside powershell without actually spawning a new
powershell.exe process:
Constrained Language Mode
Enabling constrained language mode, that does not allow powershell execute complex attacks (i.e. mimikatz):
1
[Environment]::SetEnvironmentVariable(‘__PSLockdownPolicy‘, ‘4’, ‘Machine‘)
Copied!
Checking constrained language mode is enabled:
1
PS C:\Users\mantvydas> $ExecutionContext.SessionState.LanguageMode
2
ConstrainedLanguage
Copied!
With
ConstrainedLanguage, trying to download a file from remote machine, we get Access Denied:
However, if you have access to the system and enough privileges to change environment variables, the lock can be lifted by removing the variable
__PSLockdownPolicy and re-spawning another powershell instance.Powershell Downgrade
If you have the ability to downgrade to Powershell 2.0, this can allow you to bypass the
ConstrainedLanguagemode. Note how $ExecutionContext.SessionState.LanguageMode keeps returning ConstrainedLangue in powershell instances that were not launched with -version Powershell 2 until it does not:
References
PowerShell Constrained Language Mode - PowerShell Team
PowerShell Team
Powershell Without Powershell - How To Bypass Application Whitelisting, Environment Restrictions & AV - Black Hills Information Security
Black Hills Information Security
Detecting Offensive PowerShell Attack Tools
Active Directory Security
Simple Bypass for PowerShell Constrained Language Mode
pentest-n00b