PowerShell ConstrainedLanguage Mode ByPass

by Vince
in Blog
Hits: 130

What is Language Mode and what is ConstrainedLanguage Mode?  "The language mode determines the language elements that are permitted in the session.  The ConstrainedLanguage mode permits all cmdlets and all PowerShell language elements, but it limits permitted types."  So what does that really mean?  It means that in the context of compromising a system, we will be presented with an obstacle that we will need to overcome in order to execute PowerShell.  Below is FullLanguage Mode:

We can then set ConstrainedLanguage Mode and when we attempt to run the same PowerShell command, we get denied:

I've seen techniques where we can download an executable or dll to bypass this issue but the truth is -- when you try to download those packages, they tend to get removed by Defender or antivirus.  But here's the thing -- unless someone has done some hardening, PowerShell V2 is still installed and we can perform a PowerShell downgrade attack.

We check our language mode, we execute our Hello, we get denied, we launch PowerShell V2, and when we re-run our Hello, we have no issues: