Powershell Constrained Language Mode ByPass

Last updated 4 months ago

Understanding ConstrainedLanguageMode

Constrained Language Mode in short locks down the nice features of Powershell usually required for complex attacks to be carried out.

Powershell Inside Powershell

For fun - creating another powershell instance inside powershell without actually spawning a new powershell.exe process:

Constrained Language Mode

Enabling constrained language mode, that does not allow powershell execute complex attacks (i.e. mimikatz):

[Environment]::SetEnvironmentVariable(‘__PSLockdownPolicy‘,4, ‘Machine‘)

Checking constrained language mode is enabled:

PS C:\Users\mantvydas> $ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage

With ConstrainedLanguage, trying to download a file from remote machine, we get Access Denied:

However, if you have access to the system and enough privileges to change environment variables, the lock can be lifted by removing the variable __PSLockdownPolicy and re-spawning another powershell instance.

Powershell Downgrade

If you have the ability to downgrade to Powershell 2.0, this can allow you to bypass the ConstrainedLanguagemode. Note how $ExecutionContext.SessionState.LanguageMode keeps returning ConstrainedLangue in powershell instances that were not launched with -version Powershell 2 until it does not:

References