Edit – I just had this pointed out to me that on Friday 17th March Lee Holmes wrote about this very attack on his blog here – http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/. This is a pure coincidence and I was not aware of this blog post by Lee at the time.
We all know that Microsoft has added some nice features to PowerShell v5 to help out the Blue teams, Constrained Language Mode, Deep Scriptblock logging, system wide transcripts and AMSI to name a few.
This blog is not a lesson on each of the features mentioned above, for more information this is a great place to start – Microsoft PowerShell Blue team.
This blog is also not about the awesome bypasses highlighted by Casey Smith, aka @SubTee, again detailed info can be found here – @SubTee Blog.
What I’ve found is probably not even new, but I can’t find anything written about it. This is a very simple and almost too easy a way to bypass Constrained Language Mode. I still can’t believe it myself.
Continue reading “Simple Bypass for PowerShell Constrained Language Mode”