BSidesAugusta 2018 - Chris Truncer - Isolated to Constrained Language Mode

all right hello everyone I'm so yeah as he said I'm Chris Ron sir um this talk is isolated can to constrain language mode limiting the confines like also mentioned I'm primarily going to be talking about PowerShell and what everyone probably knows PowerShell is what's called process but like where do they try to protect the system and this is for a kernel mode code integrity and user mode code integrity and right over here is what constrained language mode is trying to like help protect so what is constrained language mode mean so like we said it's largely used to block dangerous data types so if we can just arbitrarily invoke Windows api's and use that to just inject shell code into

memory like beacon or meaning cats or interact with dangerous or protective processes like L SAS then that's not something that you probably really want to be able to do or have anyone just to arbitrarily be able to do so it looks to block different tasks or things that you can do that it would consider dangerous if you build a powershell script using pure powershell so we're not invoking any sort of dotnet datatypes or anything like that then your code probably will work so let's kind of take a quick look constrain language mode data types so the way that this works is constrain language mode introduces whitelisted datatypes so this isn't like they only blacklist certain different types of

data you can interact with it's largely if you aren't using an allowed datatype it's completely blocked and you're getting an error and so you would see something like this so oh sorry that's a little hard to see so what that says is if you're trying to run either a script or a tool or some sort of camila that it uses a restricted data type it's going to say cannot invoke method method invocation is supported only in core types of this language mode meaning that is only allowed in full language mode all right so the next question is okay how can we obviously test what's allowed well the first thing you can do is go to

MSDN and look at their documentation the next thing that you can do is test it and figure out what msdn is missing in the documentation and actually find the real data types that you use so PowerShell pro mat Graber I like this because I don't think you can basically give a PowerShell talk today about anything in the world without somehow referencing Mac or Ava and the work that he's done because he's done a lot of awesome stuff and so of course mat also wrote really a script but really more like a one-liner that can enumerate different data types that are actually allowed and constrained language mode so hint there may be some differences so what are the big things

that are aren't allowed welcome objects are supposed to be blocked if you use add type in your PowerShell code that Camilla is completely blocked different PowerShell classes are blocked type conversion isn't allowed unless it's using an approved whitelisted data type dot sourcing your code is not allowed and again it comes back to if you're using anything with dotnet only approve dot net data types are allowed so this is a giant list but this is actually all that's listed on MSDN page for a constrained language mode on what's allowed so you have some stuff that makes sense right you have like bool so you can do like basic true/false kind of determinations you have different integers that are allowed you can create

a PS credential object in case you're trying to authenticate to some sort of remote resource that requires a PS credential different integers so there's different types of data types that are allowed so obviously that's a lot but the question is then is that all-inclusive so MSDN states that that is like the end-all-be-all a list of data that's allowed so again we should kind of follow a something-something trust but validate sort of process so let's kind of look into this like I'd mentioned mat Graber did release a not release but he just publicized a one-liner that it captures the different data types that are allowed and this is basically what you're looking at and so it's just this reference that assembly

gets system management automation core types and then we're looking at just to pull this sort of information back right here are the items non public static and you can I mean you can all read the command but this is what will actually to enumerate what data types are allowed so I cut it off this is not the entire list because would have been too big of a screenshot or even though this is already fairly large but you can see that there's some of the same information right so we have integers again we have different pools we have some sim classes so that we can also interact with that are listed here there's a variety of just different data

types that are going to be listed here a lot of them are going to be the same but some of them may be some new additions that aren't listed in MST ends documentation you know it's funny I was talking a couple different friends of mine that are also MVPs and they stated that Microsoft may have actually kind of gotten rid of their documentation staff and that is up to each project that is in charge of certain aspects of MSDN or like whatever they're doing within Microsoft it largely relies on them to write their own documentation for that now if that's incorrect someone tell me but that's what I was told and so hopefully we're gonna start getting

better documented information that we can look at and when you just want to try to see what is the current status of whatever we're looking for with Microsoft products so here's an example and I'll just we'll skip to the next one just to get through this so here's an example of what I'm doing is I'm running get credential to capture credential information so that's a username and password and so we can see that that's a PS credential object right here now here's another thing that we're doing is um we're creating a new sim session with a remote system and I'm passing to the creds that we just created with get credential and this session objects are

decom session options like that's the data type that's listed if you actually look at and try to expect through PowerShell with the data type this in this case you can see right here it is a sim session that we're creating that's that's the data type that's allowed and this is all done within constrained language mode so some of these were listed right on MSDN s documentation but like the sim session information I don't know if it actually falls under what Microsoft lists as their management class here and I tried asking other individuals if that is where it's somehow lies under that class it really gets a great answer so I'm interested and if anyone knows the

answer I would love to talk with you after as well because just different things that you can seem to do in constrained linkage mode again aren't completely documented all right so long story short there's still a lot of different data types that you are allowed what you can do and interact with and constrain languish mode the trick is to ensure that you're interacting or using and allowed data type before you start developing different tools or as you run into issues try to figure out an alternate way to do whatever it is you're trying to do without interacting with that restricted data type the easiest way to do it is to check MSDN Docs if you can

figure out whatever you trying to do is allowed perfect if you can use macros one-liner or really the honestly the way that I develop a lot of code that is in constrained language mode is I'm just enforcing constrain language mode and then testing and writing code until something errors out and then I'm trying to figure out okay how can I do this a different way so again the easiest way to enforce constrain language mode is to set it yourself and so this is that host at run space that language mode that I referenced earlier you can just run this within PowerShell and set it to constrain language mode and that essentially that session that you're

interacting with from then on unless you were to change this actually is using constrain language mode versus full language mode so here's an example right now we're in full language mode as you can hopefully somewhat see right here and we're trying to do this figure out the square root of nine and so that's allowed we're getting three is returned well here I'm now changing that to host run space language mode equals the constrain language sorry about the coloring again on this and if you then try to run that same math square root command essentially to determine what's the square root of nine that's actually not using an allowed data type in constrain language mode and square root

which is you would think fairly easy not benign or I mean is benign is restricted and is not allowed at all so clm this is basically the biggest limitation for attackers on seal protected systems if an attacker can't weaponize any of their powershell scripts because they all somewhat either use restricted data types or restricted or different commandments that use restricted data types is going to be blocked so it's it's not like application whitelisting where an attacker could then try to figure out okay how can i administer their application whitelisting solution or system whatever it is that they're using and whitelist it it's just outright blocked so it just won't work with in construing the language mode unless the

attacker actually goes back and tries to figure out how to rewrite their tools to do something that is allowed all right so let's kind of translate all this does a lot of information thrown back at you what works and what doesn't so let's run some quick tests so again you saw a square root we'll see it again we'll look at base64 encoding and then let's look at shell code injection what an attack and may try to do to compromise a system that they're on or compromised system that they're trying to get a beacon or meterpreter running

all right so what we have here is this is just showing host run space that languish mode is right now we're in full language mode so this is again doing that math trying to figure out square root this is kind of a validation test and make sure that we are in that and it does work we do get three returned back to us and so this is where I am trying to now perform base64 encoding so what this says is just 40 north and B sides Augusta and we're trying to get the bytes of that string and once we get the bytes we are converting to basics t4 string and we can see that that's our

base64 encoded result so this is all allowed like you would expect in full language mode just normal powershell all I'm going to do is now change in the host run space language mode and we're changing into constraint language and so now we're gonna kind of try to conduct the same test we're gonna do the same thing here with Maddy math again to try to find the square root we can see that that is block that's not allowed well what if we want to just basics t4 encoded string so we have to start getting the bytes there and then encode it but that is also completely blocked sorry that went kind of fast but that was blocked there so finally what this

payload ds1 is is I don't know if anyone's you use cobalt strike similar to meterpreter this is basically an output for a PowerShell based stager so we run that PowerShell code and then we would get a beacon on our system so same thing as if you were using MSF venoms powershell output to get meterpreter on your system so if we try to dot slash call that it's going to be blocked for multiple reasons to be honest but it's just completely not allowed so constraint language mode is really good for locking down systems and starting to restrict some of the different features that attackers try to use to compromise either a local system or a remote system

okay alright so next up what can we do what works and what doesn't so with everything that's kind of blocked it's kind of out of the out right from using constrain language mode what's left well a lot of people one of the things that you can do as awesome and PowerShell is largely you see sharp with in any sort of PowerShell code that you want and run c-sharp code within it well if you're thinking of trying to convert your c-sharp code and using it in PowerShell don't because it's largely its profits highly unlikely that it's going to work but the interesting thing is if you're just trying to administer a computer and like you use either built-in

commandments or just pure PowerShell to use something that's probably going to work right because like we said in the beginning the whole point of constrained language mode is to restrict sensitive data types but allow user administrators to still administer their computers so one of the things that obviously I've worked on veil before antivirus is always kind of an interesting thing for myself and just attackers in general but look at is on antivirus administration you can do that right now currently with PowerShell so one of the interesting things that I really like our Microsoft's attack surface reduction rules has anyone heard of ASR attack cypress reduction rules awesome usually come grab one of these books I have to

give these away so make your way down and grab grab one whatever you'd like attack surface reduction rules are really into coal I think because the only downside to it is it's only allowed on like Windows 10 or Server 2016 but you can do a lot of enforce a lot of unique rules such as you can prevent processes from being spawned on a system that were initiated via PS exec or WMI you can also prevent macros from running or prevent like office documents from spawning or excuse me office processes from spawning child processes right like why would Microsoft Word need to spawn PowerShell on a system or command dot exe you you it's probably no reason

reason that that's really loud yes sir

it's gonna depend upon what you're doing so now if we were talking device guarded Windows Defender application control my answer would outright just be no because it's it doesn't allow you to you basically you do you assigned where you give trust and so that Windows the device guard enforces trusted rules on both executables but also libraries from being loaded now if you are able to write code that loads different dll's or different or conducts the actions that you want to do basic kind of replace the DLL in a constrained language mode compliant manner then that would work but the only thing with and I'll actually I think you talked about in a couple slides a constrain language mode

is useful to stop PowerShell but if you don't enforce constrain language mode in addition to application whitelisting then it's kind of not super useful because let's say I wrote a malicious PowerShell code just like you were kind of talking about any wrote in c-sharp and you have powershell run that well let's say constrain language mode is invoked or protecting the system but application whitelisting isn't well in that case I would just take that c-sharp code compile it to a library or into a PE and executable and then just run it that way because constraint language mode doesn't protect against executables from running on the system it's only PowerShell so yes yeah well so yeah sorry so they're

asking if if it if constrain language mode only protects powershell exe or a PowerShell ISE or is there another way that you can maybe get around it so the issue it's going to be protecting it on the system management to automation dll so if you can't it basically if you you have to it's not restricted to just the exe itself because PowerShell itself isn't powershell exe it's the system management that automation DLL that powershell that exe loads so it's it's within that DLL essentially anytime that that's loaded you're trying to run PowerShell code that that is what's protected but again if your

it's so the question was if you load system management to automation DLL and would that still be loaded in constrained language mode the answer is it depends like how was constrained language mode enforced on your environment if you're doing kind of what we did back here where we're just a couple slides back but we're just setting it while having powershell started the no because that's because you're not in that session of PowerShell essentially you're loading it in another program but if you're enforcing constrained language mode through some sort of GPO or something like that then it should be protected at that point okay yes

I can't speak at unto advanced threat protection so I don't want to give bad information I would believe that it it should but I don't hundred seven know that answer so I did I just want to give you the wrong answer oh sorry so the question was how does that actually relate to Microsoft ATP advanced threat protection does that get reported in to them and and like he's mentioned I actually I believe it would but I I don't know the answer for hundred percent certainty all right so kind of going back to this antivirus administration so there are ASR rules which can do really cool rules that aren't enabled by default and are only allowed to run on Windows 10 or

Server 2016 and so like I mentioned you could completely stop processes excuse me from being spawned via WMI or the customer on a blanket what the other one was now anyways there's a bunch of different rules that are out there and you can set figurations across like you across the entire domain however you want so my thought is well if we can enable these rules using PowerShell and we can do this in constrained language mode we can also likely disable the rules well if we can also set configurations for antivirus and constrain language mode an attacker can probably do the inverse operation so it's probably useful from an attackers perspective right so let's look at this

so there's a command link called get MP preference what this command lit does is it obtains the antivirus configuration of the system that we're targeting the interesting thing is you can run this command locally on your Windows 10 system you can also run it remotely on a system that you're targeting so what does it use for authentication well we're using sim sessions well this interesting thing was we just looked at kind of the very beginning of this talk is what can we actually do in CLM mode constrain language mode is we can create sim session that is allowed within constrained language mode so let's kind of give that a shot and see what it looks like I have a video will show in

just a second but right now this is what you get if you run get MP preference on your local system if there's a whole bunch of different information about antivirus right here but then some of the more interesting ones me be the exclusion extension which extensions are we excluding from having antivirus look at what path are we kind of just allowing to exist and like excluding anything within that path or what about certain processes that are allowed are we excluding any of those and so what this does here is at the very top we're creating ApS credential object using convert to secure string to convert a pass or insecure string creating a PS credential object in

creating essentially a sim session so that we can connect to a remote system and so that's what I'm doing right here I'm connecting to a system and then right here what it's doing this get MP preference I'm saying okay we're gonna call that but we're gonna use a sim session and pass it into it and so that will automatically pass whatever sim session I just created to a remote system so it's already authenticating with the credentials I provided and it already knows which system to connect to once we get that we can see that there's some certain information allowed on this remote system like there's an exclusion extension of PDF if it's a PDF there

just don't scan it at all the exclusion path is the Downloads folder and in this case the exclusion process is dolphin dot exe apparently so if you see that process running at all just don't scan it don't worry about it it's allowed so the next interesting commandment that goes along with this asset MP preference set MP preference is what you would probably imagine it allows you to set antivirus configuration settings for whatever system you're trying to authenticate to the difference is there is set MP preference and there's add MP preference set MP preference will overwrite whatever settings currently exist for the system that you're targeting ad MP preference appends to an existing configuration so let's say like

on this previous slide if PDF is here and I were to do set MP preference to exe the only thing that would be here now is exe if I were to use add MP preference you would see PDF and Exe so similar to get MP preference you can just authenticate to a remote system using zoom sessions and so we're about to do a video but basically I thought this is going to be a little see what I'm running here asset MP preference I'm using a sim session other I've already created to authenticate to a remote system I'm saying hey set an exclusion path which is the seat directory and set an exclusion extension which is anything dot exe on there on

this system that I'm targeting and so if you were to pull up Windows Defender on that remote system where you sent this to you would actually see that information like see temp or exe is completely allowed and right here is the command line example or that if we were to run get MP preference we can see yes that is actually allowed on the system but believe I'll have cup in just a second so set MP preference it's kind of the same concept with the tax surface reduction rules you use get MP preference you can get all the information about your normal a V configs but you can also see if there are any attack surface reduction rules

enabled well you can use set MP preference to go ahead and stop them from spawning or stop those rules from being enforced on a remote system and the awesome thing about this is all this can be done within constrained language mode so if we look right here up here at the very top is where you would see attack surface reduction rules when you run get MP preference and so in this case there is a specific rule in Microsoft of course loves essentially goods so rather than being like WIPs exact rule it's this really long string but then you can see with the with one being listed here that rule is actually enabled and so right now the system that

these rules are on it will block and prevent any process being spawned that's spawned via WI or yes exactly if we were to actually then run this set MP preference we say hey this specific rule which is that long gooood and then for that rule I want that it's actually be disabled this is what you would see at that point you'd see a zero instead of one and then that ASR rule is no longer running on that system alright so that was a lot here I'll show a show a quick demo on what that actually looks like

so what I'm doing here is a retiring get MP preference and so we're gonna pass it a sim session which this was already created prior to this video of being started it's just using that sim session to authenticate to remote system and pull back the antivirus configuration as you can see there's a lot of different information here we can see at the top that an ASR rule is actually enabled and that is the excuse me the specific rule that blocks processes being spawned via WI and so that is active on that system and so while I figured let's test this okay so we're gonna use power shells invoke with me method the win32 process class we're gonna tell it to create a

process and in this case we're gonna have it start or try to start notepad.exe so that runs and what you can see here is anytime you're using W my if something works your return value should be zero if it's not zero then some sort of error happened in this virus and threat protection that's what pops up so that actually prevented notepad from being spawn right there and that's it basically informing the user that it is not allowed because there's a rule set to prevent processes from W my starting so what I'm doing here now is I'm using set and pre preference to I'm targeting this specific attack surface reduction rule which is that long one which is dealing

with WI and PS exec and then I'm telling it for the rules of web that's enabled I want to actually go ahead and disable it and I think I'm gonna have to Pat yep there's a sim session so I'm at LT sim session and so now it should be disabled so if we do a get MP preference and re pull the new configs at this point we can see if we scroll all the way to the top that those rules are now that rule is now disabled it's no longer allowed to run it's not enforced it's a better way to phrase it so now if I try to use the same exact attack that I just did

use invoke Allah method of win32 process we're going to create a process in this case we're gonna try to spawn notepad again what you can see now is this time the return value is zero we actually got a process ID of what no pad should be running in and you'll see in just second because it's unfortunately off-screen there's no pad so no pad actually was spawned and it did work and so everything that was just done here can be you can do this within constrained language mode so you can as an attacker if you see a system that is a high-value target system that has ASR rules enabled well as long as you've administrator rights over that system

you can just just disable it like you don't have to spend your time creating alerts you can do quick recon and see if these rules are actually enabled then just disable them and load your malware or whatever it is that you're wanting to run or just run a simple command and this is all allowed within constrained language mode again because it's an administrative task three star unit the next one yeah

sorry yeah I should have brought that up it was a great question the question was if for different goods that I was like just referencing in that working to actually find what gooood correlates to what rule in this case Microsoft actually did do a good job documenting this so if you just do a Google search for Windows ASR rules I think it's like the very first result that you're gonna get actually has basically a table and it says like this rule is for blocking processes spawned via WMI RPS exact and then this is the gooood that's associated with that rule so that they actually do have all of that documented

off the top the question was is there anything on the OS itself versus do you have to look at an external reference there probably is a way there might be a way to a new reign with that with PowerShell I just don't I don't know that one for me I just do a quick google search and find it out that way yeah no problem okay so here's another different thing that we can do with get MP preference and set MP preference so this is a little bit more fun okay so in this case I didn't show it on the last damage but here I'm validating and showing that I do have a sim session to a remote system

and I'm connected to it over decom again all of this is loud and constrained language mode we're gonna run get MP preference again on this system and oh-oh target it and so we're gonna pass this in session in and what you're gonna see right here is that these this extension is allowed and exe and this exclusion path is also allowed see temp well what if I have malware that's in a PDF format or if I want to drop malware or something in a specific folder then what do I do in that case and so we just also showed that ASR rule is enabled well set MP preferences friend I actually recorded this video for a separate conference so you're

gonna see something relate to this but in this case I'm using set MP preference I'm setting passing in the same session that I'm using that I previously created I'm going to exchange the exclusion extension in this case to PDF and because I'm using set MP preference that should be overwritten and so that will be there and then what I'm going to do now again is get MP preference we're gonna try to pull back the information and actually see if it changed so just pulled it back again and now we can see that we change from Exe to PDF so you can just arbitrarily whitelist whatever file extension you want on a remote system to allow your code to run and not

even be looked at by nm Paris in this case we ran also change the set MP preference that we want to change it to just a separate directory from C temp and so yeah we're passing the same session again and are changing the exclusion path in this case something have like C temp it's like st. con or something like that yep okay and so we're studying that and now we're gonna use give MP preference oops I'm actually that's right haven't have an error right here because I gave it a dollar sign it's gonna fail I'll see that and then we're gonna try running get MP preference again we're gonna pass in the sim session and so now we can see that

that file path is there so here's a weird thing also that I've also asked other people I haven't been able to completely figure out and others haven't been able to understand either so set MP preference as I mentioned earlier over writes the value right like we just changed from exe to PDF well in this case it also it just appended this because we originally had C temp and now this has C temp sync on and I can't unfortunately explain that behavior why for certain attributes a completely override switch is what it's supposed to do and then others in this case it's just appending an exclusion path I have asked a few friends and they they don't

know the answer either it's just it's an oddity exists and you should be aware of it but as you can see though are the the path that we wanted to create was still created and so we're now blocking allowing anything from that that

okay so the good bad news and the good news from a defensive side is besides built-in command lights there's not a whole lot that's available for constrained language mode I kind of like this because the things interesting if anyone else starts really dive in constrain language mode you can kind of be the people that really start building out capability it's like there's not there's not a whole lot that exists so I think it's kind of fun to get in there from the ground floor start building out either libraries or different functionality that other people can use from a defensive if it really helps or an offensive perspective where there just isn't a whole lot of code that

exists the interesting that about this is any code that you write and constrain language mode will run in full language mode but the inverse is obviously not always true the other interesting thing is if you run it or write it in constrained language mode if you go against a device guard protected system or Windows Defender application control protected system your code will run on it because PowerShell is going to be whitelisted it's just running in constrained language mode all right so building out different capabilities in constrained language mode there's largely two different methods of how to survive in a constrained language mode protected environment one is to build a bypass or constrain language mode I believe Matt

Nelson has developed a couple different bypasses for a constrained language mode he's also done it for device guard itself but for specifically considering language mode or w doc he's done that there's a couple guys I believe about an MD SEC that have like just recently published a blog post on I believe using different comics to or a specific common object or something else that normally you would think should be blocked but allows you to do something and constrain language mode bypassing that's restrictions the only thing with constrained language mode is it's going to have a limited shelf life right it's going to probably be serviced by Microsoft and would not be allowed to run again kind of like Ann mentioned

before constrained language mode is also really only effective if it's paired with application whitelisting because if constrain language mode is enforced like I mentioned but application whitelisting isn't then I would just not use our show and write my own custom code the other capability or the other method to survive with any constraint linkage mode system is living off of the land using what's currently available so let's kind of explore these two options and here I actually kind of just mentioned I already talked about this as constraint language mode needs to be really pair with application whitelisting so one option is subvert constrained language mode is to develop a bypass you can think of this as kind

of similar to an exploit but it's it's definitely not an exploit at all but I like to think of it as you may have only one shot to use your bypass because if it's it I would consider it essentially burnt after that one time because it may be detected by whatever defenders are on the system if they have the capability to detect what you actually ran now you can always hope that it wasn't caught and maybe you can reuse that but it's something that you want to make sure that you want to use it when you really need it the Casey Smith has doing a lot of research on bypassing largely application whitelisting a lot of these

things are for bypassing device guard and application whitelisting rules such as msbuild install util and excuse me women but he also used c DB exe which is a debugger which if you can I believe he was able he wrote a blog post about changing constrained language mode or PowerShell was loaded in memory he attached a debugger to it and modified something in memory within that powershell process to actually allow and like have it revert back to full language mode so it wasn't actually enforcing constraint language mode anymore so he wrote a bypass for it and you can use these different capabilities but again it depends how the targeted system that you're going after is protecting their system if they're using

something like device guard well if your bypass has ever detected they can upload date what they call their code integrity policy or update their application whitelisting rules that they have to go ahead and just block whatever program you're abusing to to bypass either device guard or constrain language mode itself so this is a approach I would say because it takes a lot of time and it takes research and so it's engineering time here people are working on stuff to try to develop some sort of a bypass you want to protect their use but ideally it's a quote guaranteed when unless something else happens which you is unforeseen to prevent it from working the other option

is to kind of live within the constraints of constrained language mode well how do you kind of start this approach and it's this is approach that I take is first of all just deploy a VM of Windows 10 and force the Vice guard on it which is completely built into the OS completely free so anyone can just do this on a test VM to see how it looks and then try to see and make sure that constrain language map is enforced and so you can just do a quick test by seeing what language mode are we in try to do the square root of 9 something like that after you have constrained language mode up and running on a system

the first that really is to figure out the problem that you're trying to solve what do you want to do so start small use minimal tools just write a minimal amount of code and test and so I when I kind of test building out things and constrain the language mode it's I kind of think of it as like a test-driven development process because I'm writing a couple lines and then I'm testing to make sure I'm getting the expected results and not any errors at that point if I'm getting like a this is blocked and only allowed in full language mode then I know I need to go back and rewrite something that I'm doing so each

like I don't this is exactly next slide it's basically what I just said write a small amount of code it starts to solve your problem and test to see if it actually does solve that problem as you encounter different invalid operations or you're using restricted data types look to see how you can modify your code that you're doing that you're using to come up with a different way to do it and so I'll talk about how we do that in just a second with when the implant the big thing to go into this is writing constrained language mode it's going to be a frustrating experience because everything that you used to doing to being able to leverage with PowerShell

is probably going to be blocked and so you have to try to figure out different ways to do it and this is very much like your typical hacker mindset right like if something doesn't work the first time you're not giving up you're going to keep going and look for different to solve whatever problem it is or line of code that you're doing again don't look the c-sharp code within your powershell scripts it's probably going to be blocked look to recreate the same end result if you will that you expect from C sharp within PowerShell so what currently is this and what's an example that we can reference so women implant so this women plant as a tool

that I wrote that is 100% written in constraint to be compliant with constrain language mode I can't remember how many lines of code this is probably like 1500 lines it really isn't that much but spending that much time slamming your head against the desk trying to deal with constrain language mode block and everything you're doing is an interesting development process I built this to target device guard protected systems and this was because I wanted to as I'm assuming more people are going to eventually start rolling out application whitelisting I want to have some sort of tooling that will let me attack them while device guard enforces constrain language mode so I had to write a tool that worked in

constrain language mode when the implant uses both PowerShell and W mine both of these binaries and/or services are going to essentially always be allowed to run on a system even a system that's application white this enforcing application whitelisting I have I have personally never seen an environment that blocks completely outright PowerShell dot exe even if you did like I mentioned earlier you can just load the DLL on the backend and just gain access to PowerShell again with W my I've never seen an environment that prevents WMI from running I have seen environments that may be block it from one network to another network but WMI is commonly used by administrators to test the strength or the health of

systems gather different information so that's generally always allowed so I used W my for C to the mean to trigger in action and data storage well data storage encoding word problems but we I was able to figure out how to make this work in constrained language mode so like I mentioned earlier one thing that we cannot do in constrain language mode is unfortunately convert to a base64 string because if I'm once you download or upload a file when I do this I can't generally always deal with binary data has to be encoded in one format or another so this just outright doesn't work if I want to download a file I can't cover in base64 string so I trying

to figure out okay how do i encode data in a format that does work in constrained linguish mode so I was actually talking with my coworker at the time and my friend Daniel Kanan he wrote the awesome tools invoke obfuscation invoke a couple different ones that makes PowerShell look disgusting so I would definitely mention say to go look at that what this what this lines does is so this is a test data store what this does this just says this is just sampled data it's just a random string and what this kind of like one-liner here essentially does is it takes either a character array or a byte array depending if you're dealing with text or

binary data and it converts each character or a bite into an integer and it then does that in a comma separated one line so with this string this is just sampled data is converted now into this so we see 84 comma 104 comma 105 common 115 and so forth this is perfect like this is all that I actually need and this completely works in constrained language mode so while it's not base64 encoded we're just going byte by byte or character by character converting into an integer and that will solve our encoding problem so all of our data is now encoded next thing so old dog new trick so I kind of wanted to try to

solve the encoding problem specifically the base64 encoding problem I mean but the thing is obviously it doesn't work at all in constrained language mode so I needed to figure out where is the restriction and constrain language mode what's preventing from happening and this is where I was like okay let's I guess figure out how constrained base64 encoding actually works so it has does anyone here know how a base64 encoding works awesome you you want to snag something and go and grab something it's so all gonna learn right here basically what it is is there's 64 different values that your character can be and will show how to determine it once you get find a number

if the value is nine then your character that you're using is J so the way that that works is you go three you have let's you have a massive string of bytes it's not a string advice but just a long list of bytes you take three bytes at a time so that's 24 bits and you split those 24 bits into 6 bit chunks so you end up with 4 6 bit chunks then what you do is you take each of those 6 bits and you look up whatever that value is and so that's your basics for encoded string so I know that's kind of abstract here's an example so let's say we're trying to be 64 encode the string man Capital m

lowercase a lowercase n and this is taken straight from Wikipedia well this is what man is the bytes and so here's our 8 bits here's lowercase a and here's lowercase n well if we split this up into 6 bit chunks we end up with this is the first 6 this is the next 6 next 6 and so forth so this in binary is equal to 19 if we go back to that table and find 19 that is equal to capital T and so that's how we can figure out what that first value is same process for the rest of these this is 22 546 so if we just go back look at 46 we should see right there is

lowercase u so there's a known associated alphabet with what every single value should be so the same process the next one you'll what if like we only have one letter left and like the rest is just blank so in this case you normally would just pad these out to zeros and in the case where there are no extra letters that's where you get equal signs and that's how they Pat it out to make sure it always has 64 bits excuse me 24 so if we use Python 3 and we try to figure out okay what does man actually look like again we can see this is TW fu and that's our value so I then try to figure out okay how can

we do this in constrain language mode so I wrote this script called PowerShell it's called CLM base 64 and after taking a lot of time working on it was trying to it was able to figure out how to get a 64 encoding working I'm sorry this is kind of dark I'll really I'll push these slides online so that you guys can look at these and see these a little bit easier later but what this is doing is basically it can take you to a string or a file as input and it will go through and perform this basic ste for encoding process the other interesting thing that it does which I'll have in a later slide just to

show is you can provide what's called an alternate alphabet so when we're dealing with base64 according to the RFC this is the standard alphabet this is 0 is always equal to a 1 is always equal to B well what malware authors like to do sometimes is they of course like to make life harder from our analysts what's this prevent you from just swapping Kappa like inverting this whole alphabet and making 0 equal to slash 1 equal to a plus you can just arbitrarily assign a different alphabet to what each value should be in base64 well this can sometimes mess up automated analysis tools so what this library does is it also allows you or the this chameleon

does it does allow you to provide an alternate alphabet if you want for base64 encoding and then it will validate that it's a valid alphabet and then you can just start using that so this is where we're going through we're doing checks like if the value is not equal to 0 0 0 0 0 0 then figure out what that binary value is so like if it's not 0 and it's so which is a then figure out lookup in this chart which is stored in the script what is the value of whatever the number is some do you write here otherwise just assume it's a unless we provide an alternate alphabet this is kind of at the very end where

it's looking in the padding so I I didn't want to go over this line by line just wanted to give kind of examples out of this how it works is here it's checking is there any equal sign that we need to include in padding or if we're decoding to remove before we actually go through and get the the actual content that we were trying to get so here's where I ran into a problem with base64 encoding is as you could tell earlier we have to figure out what the base-10 value is of a some binary number to then about what that value is and the basic C 4 encoded R I've seen but that is actually blocked you can't

actually convert 1 1 1 1 1 1 2 into base 10 in PowerShell constrain language mode it's just not allowed so I was again actually talking with Daniel B Hannon about this and I think before I even finished explaining my problem like hey I just ran into this like weird issue I'm gonna try to solve he's like I figured it out and so he's like here I got this one line I look it's just this real quick thing I was like well that's awesome you just totally did this and figure out how to convert this from base 2 to base 10 and like we now had that functionality so this was one of the bigger hang-ups originally and it can

now just easily be done with this PowerShell one-liner right here well we're just we have the different powers of each spot and then just going through and getting that data and converting it so just as a quick example here using this script that I wrote a host run space language mode you can see we're in constrained language mode we're going to convert to base64 string with a string man we still get our T wfu we convert from base64 that string we get back our main value so we have basic C for encoding now completely working in constrained language mode and this is again where I was talking about at the very end just how to do an alternate

alphabet and it's in there we're running short on time so I'm gonna see if I can do a quick snippet of this video and then we will stop right after that which is the end anyways so it's 50 seconds so here you can see where it's gonna be running host run space we are in constrained language mode I already have I'm gonna test ok here we're gonna try doing the square root to figure out if constrain lakish mode actually is enforced which we will see that this is an error and so now I believe the next step is going to be okay we're gonna try to convert to base64 and we're going to put some

or string here in this case again Murray looks like 40 north and besides Augusta and we're gonna let it run and we get that value of coming out of it so it actually did encode that date into base64 format and now we're going to convert from base64 back into trying to find out the original string easy way to do that let's just copy and paste that encoded value in put it in there it's kind of off string or off the screen let it run and then we got our results back

so that's largely it um that this capability didn't exist in PowerShell constrained language mode at all before it's not a hard problem to solve like that's it's super basic but I wanted to be able to figure out how distinct code data that you couldn't only do before so in Microsoft's own words like CLM is designed to support day-to-day administrative tasks even there's a lot of things that are restricted there are still a lot of things you can do from both largely from an attackers perspective I want to be prepared for that environment and have certain capabilities then have not or then don't have those capabilities and just be in trouble an attacker will look to use your

administrative tools as a means to enable their goals so like just how we could do a modify antivirus and everything like that and attackers gonna look to do the same thing so when you see that enable your telemetry so you can start caching what they're doing as they do it and so you can have at least of the ability to reconstruct the attacks that they performed that's really it at this point I literally just before this talk push the code and made it live so it is now available on github you can go check it out if it's of any interest the next thing that I'm looking to do is start adding encryption into this where I uh

there's no ability to just encrypt data at all and constrain language mode that I know of at this point so that's the next thing I want to build out and have available but um if you have any questions you can we can now I know we're really short on time we can also talk on the side or you can hit me up on Twitter go to our website anything like that and I'm happy to discuss anything that there is so I'll take questions if I can otherwise thank you everyone for your time yes sir [Applause]

probably not because it's probably because if you're running that through PowerShell and it's using any sort of non listed data type it would not run question was can you still run something like PS attack or other c-sharp through PowerShell on there and if it's if it's enforced on there and it uses that a non-white list of data type it will probably be blocked any questions all right thank you thank you very much [Applause]