Which types of command-related attacks could be prevented by CLM and which cannot?
Is "constrained language mode" a security feature or not?
- Thread starter Parkinsond
- Start date
- Featured
Please provide comments and solutions that are helpful to the author of this topic.
Which types of command-related attacks could be prevented by CLM and which cannot?
Here is what Microsoft thinks about this:
devblogs.microsoft.com
The comment in the OP is incorrect and was already discussed on Reddit.
Constrained Language Mode is not a security boundary. However, it considerably increases the security level when combined with Application Control features (SRP, AppLocker, or WDAC).
There are two implementations:
I think that the comment in the OP was related to point 1.
PowerShell Constrained Language Mode - PowerShell Team
PowerShell Constrained Language Mode Update (May 17, 2018) In addition to the constraints listed in this article, system wide Constrained Language mode now also disables the ScheduledJob module. The ScheduledJob feature uses Dot Net serialization that is vulnerable to deserialization attacks. So...
devblogs.microsoft.com
The comment in the OP is incorrect and was already discussed on Reddit.
Constrained Language Mode is not a security boundary. However, it considerably increases the security level when combined with Application Control features (SRP, AppLocker, or WDAC).
There are two implementations:
- Registry tweak (intended probably for debugging/testing):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\__PSLockdownPolicy - Applying SRP, AppLocker, or WDAC.
I think that the comment in the OP was related to point 1.
Last edited:
Thank you for thorough explanation.Here is what Microsoft thinks about this:
PowerShell Constrained Language Mode - PowerShell Team
PowerShell Constrained Language Mode Update (May 17, 2018) In addition to the constraints listed in this article, system wide Constrained Language mode now also disables the ScheduledJob module. The ScheduledJob feature uses Dot Net serialization that is vulnerable to deserialization attacks. So...
Constrained Language Mode is not a security boundary. However, it considerably increases the security level when combined with Application Control features (SRP, AppLocker, or WDAC).
There are two implementations:
The first method can be easily bypassed. However, it can be hardened by applying another registry tweak to block PS1 files.
- Registry tweak (intended probably for debugging/testing):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\__PSLockdownPolicy- Applying SRP, AppLocker, or WDAC.
I think that the comment in the OP was related to point 1.
Does CLM abort all malicious commands executed through PS or can the threat actor formulate the command to avoid CLM limitations?
There are no malicious commands in PowerShell.
CLM blocks some advanced PowerShell features that are mainly abused in attacks. Of course, the attackers can still use PowerShell, but the attack surface is considerably smaller.
Can I say CLM will block all commands to download or decrypt a payload?
And if so, why should I use SRP? Even if a lnk file is going to execute a command to donwload a payload, it will be blocked by CLM.
As usual, it’s a combination of multiple security measures that work together to strengthen the overall system.
In any case, CLM is very helpful.
Keep in mind that Windows PowerShell 5.x is the most commonly exploited, precisely because it’s always present in the system.
So if you don’t have any specific requirements, it would be best to restrict the use of Windows PowerShell as much as possible.
If you’re interested, I asked the AI a while back what the most practical yet restrictive settings are.
The answer was CLM + “RemoteSigned”.
You can also use “AllSigned” and “Restricted”.
If you want to know your policy applied to PW:
Code:
Get-ExecutionPolicySo can I rely on CLM and not to use SRP?
That's up to you.
Try running a simulation with the free version of ChatGPT based on your needs, so the AI can show you all the possible scenarios.
Of course, make sure to tell it that you've already blocked Windows PW executables (firewall outbound rules) and are using LOLbins in your firewall rules.
Otherwise, there could be some bypass...........
P.S.
I don't know if you realized that the example @Andy Ful gave with the Microsoft link,changing from FullLanguage to CLM,is temporary, not permanent.
I don't know if you realized that the example @Andy Ful gave with the Microsoft link,changing from FullLanguage to CLM,is temporary, not permanent.
I already have all of them blocked by firewall, and this raises another inquiry; does blocking lolbins at the level of firewall is a replacement to CLM?
Yes, I know; it is established the two methods to apply CLM with being bypassable are AppLocker and WDAC and I tried both manually before.
It’s always the same answer it helps, but it’s the combination of all these measures that makes life harder for malware.
Think of your PC as a medieval castle with defenses designed to withstand attacks.
The higher the castle is perched, the deeper the moat, and the thicker the walls… the more impenetrable it was.
A single defense or even just a few can be bypassed.
I agree with you regarding the layered pattern of protection; just trying to avoid using two layers if they are providing the exact same protection (redundancy-free layering).
SRP gives you non-executable directories ( \users, \programData ) SRP also allows you to ban executables via rules. CLM gives you limitations of the Powershell language. Two separate things.
So, no the two things SRP and CLM arre not the same protection.
Hard_Configurator is a mixture of separate things, it includes SRP, some registry mods that have equivalence in group policy, ConfigureDefender, firewallHardening, It's a mixed bag. Not every feature inside H_C is SRP based.
Last edited:
I know they are not the same; what I am asking about if CLM can abort the attack without SRP even if at a later stage, then I can use CLM alone.
Not all, but most of those used in the wild.
Look at the first comment.
Furthermore, without using SRP, WDAC, or AppLocker, you must use the __PSLockdownPolicy tweak, which was not intended as a security feature (easily bypassed). However, it can be a part of reasonable security when you also block PS1 files and use SAC. It is not perfect, but it can be efficient at home.
Last edited:
Logically speaking, I don't think so, but it's best if you ask the AI, as I mentioned in post #9,only you know the exact configuration of your PC.
The AI will present you with possible workarounds, and you can decide what's best for your PC.
Or ask @Bot in this thread.
That is what I mean; to use WDAC only without SRP; WDAC will enforce CLM and abort most attacks without the need to SRP.
So I am appealing to add the option to apply CLM by WDAC in WHHL
The best to ask a human with previous real-life experience; AI is my last resort.
You may also like...
-
SOpera presents Early Bird mode in Opera One to test upcoming features
- Started by Santiago Benavides García
- Replies: 0
-
[Closed] Trojan:MSIL/Malgent!MSR in infinitedocsapp.exe
- Started by pt11
- Replies: 5
-
-
If you wanted total visibility over high-risk individuals, you’d build a mobile virtual network operator called Cape- Started by oldschool
- Replies: 24
-
Some guy asks if Windows Defender/Microsoft Defender is enough and this is the amazing answer he got back- Started by annaegorov
- Replies: 88