Powershell Constrained Language Mode ByPass
Understanding ConstrainedLanguageMode
Constrained Language Mode in short locks down the nice features of Powershell usually required for complex attacks to be carried out.

Powershell Inside Powershell

For fun - creating another powershell instance inside powershell without actually spawning a new powershell.exe process:

Constrained Language Mode

Enabling constrained language mode, that does not allow powershell execute complex attacks (i.e. mimikatz):
1
[Environment]::SetEnvironmentVariable(‘__PSLockdownPolicy‘,4, ‘Machine‘)
Copied!
Checking constrained language mode is enabled:
1
PS C:\Users\mantvydas> $ExecutionContext.SessionState.LanguageMode
2
ConstrainedLanguage
Copied!
With ConstrainedLanguage, trying to download a file from remote machine, we get Access Denied:
However, if you have access to the system and enough privileges to change environment variables, the lock can be lifted by removing the variable __PSLockdownPolicy and re-spawning another powershell instance.

Powershell Downgrade

If you have the ability to downgrade to Powershell 2.0, this can allow you to bypass the ConstrainedLanguagemode. Note how $ExecutionContext.SessionState.LanguageMode keeps returning ConstrainedLangue in powershell instances that were not launched with -version Powershell 2 until it does not:

References

PowerShell Constrained Language Mode
PowerShell Team
Powershell Without Powershell - How To Bypass Application Whitelisting, Environment Restrictions & AV - Black Hills Information Security
Black Hills Information Security
Detecting Offensive PowerShell Attack Tools
Active Directory Security
Simple Bypass for PowerShell Constrained Language Mode
pentest-n00b
Last modified 3yr ago