Powershell Constrained Language Mode ByPass

Understanding ConstrainedLanguageMode
Constrained Language Mode in short locks down the nice features of Powershell usually required for complex attacks to be carried out.
Powershell Inside Powershell
For fun - creating another powershell instance inside powershell without actually spawning a new powershell.exe process:
Constrained Language Mode
Enabling constrained language mode, that does not allow powershell execute complex attacks (i.e. mimikatz):
[Environment]::SetEnvironmentVariable(‘__PSLockdownPolicy‘, ‘4’, ‘Machine‘)
Checking constrained language mode is enabled:
PS C:\Users\mantvydas> $ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage
With ConstrainedLanguage, trying to download a file from remote machine, we get Access Denied:
However, if you have access to the system and enough privileges to change environment variables, the lock can be lifted by removing the variable __PSLockdownPolicy and re-spawning another powershell instance.
Powershell Downgrade
If you have the ability to downgrade to Powershell 2.0, this can allow you to bypass the ConstrainedLanguagemode. Note how $ExecutionContext.SessionState.LanguageMode keeps returning ConstrainedLangue in powershell instances that were not launched with -version Powershell 2 until it does not:
References
PowerShell Constrained Language Mode
PowerShell Constrained Language Mode Update (May 17, 2018) In addition to the constraints listed in this article, system wide Constrained Language mode now also disables the ScheduledJob module. The ScheduledJob feature uses Dot Net serialization that is vulnerable to deserialization attacks.
blogs.msdn.microsoft.com
Powershell Without Powershell - How To Bypass Application Whitelisting, Environment Restrictions & AV - Black Hills Information Security
Brian Fehrman (With shout outs to: Kelsey Bellew, Beau Bullock) // In a previous blog post, we talked about bypassing AV and Application Whitelisting by using a method developed by Casey Smith. In a recent engagement, we ran into an environment with even more restrictions in place. Not only did they have AV and Application Whitelisting, they were …
www.blackhillsinfosec.com
Detecting Offensive PowerShell Attack Tools
At DerbyCon V (2015), I presented on Active Directory Attack & Defense and part of this included how to detect & defend against PowerShell attacks. Update: I presented at BSides Charm (Baltimore) on PowerShell attack & defense in April 2016. More information on PowerShell Security: PowerShell Security: PowerShell Attack Tools, Mitigation, & Detection The most ...
adsecurity.org
Simple Bypass for PowerShell Constrained Language Mode
Edit – I just had this pointed out to me that on Friday 17th March Lee Holmes wrote about this very attack on his blog here –  This is a pure coincidence and I was not aware of this blo…
pentestn00b.wordpress.com
Powershell Without Powershell.exe
Forcing Iexplore.exe to Load a Malicious DLL via COM Abuse
Last updated 3 years ago