PowerShell Constrained Language mode
This document explains how to use uberAgent with PowerShell’s Constrained Language mode enabled.
Understanding Constrained Language Mode
PowerShell Constrained Language mode is a security feature that restricts access to sensitive language elements that can be used to invoke arbitrary Windows APIs. These features are often required to perform sophisticated cyber attacks. For a detailed description, see this Microsoft blog post.
Impact on uberAgent
uberAgent relies on PowerShell for collecting various metrics, such as details related to Citrix or Custom Scripts. The required data is accumulated via multiple APIs, most of which need full access to PowerShell’s capabilities.
Identifying Potential Issues
If you encounter problems in this context, you will notice the following keywords near powershell.exe
in uberAgent’s log files:
PermissionDenied
PSNotSupportedException
The above keywords indicate issues that may have arisen due to the limitations imposed by Constrained Language mode in PowerShell.
How to use Constrained Language Mode With uberAgent
Constrained Language mode is often implemented by system-wide application control tools, such as AppLocker or Windows Defender Application Control. These tools can also remove the restrictions for files and folders you trust, allowing full command functionality for those particular files.
AppLocker
If AppLocker is used for application control, you can allow-list uberAgent’s PowerShell scripts with the following steps:
- Open the Group Policy editor.
- Navigate to Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Script Rules.
- Create a new rule
- Action: Allow
- You can choose between Publisher (4) and Path (5)
- Did you choose Publisher?
- Select an uberAgent script, e.g.,
C:\ProgramData\vast limits\uberAgent\Configuration\Security inventory\Windows\Antivirus\Antivirus.ps1
- Set the slider to Publisher
- Select an uberAgent script, e.g.,
- Did you choose Path?
- Select Browse Folders
- Select a folder e.g.,
%OSDRIVE%\ProgramData\vast limits\uberAgent\Configuration\Security inventory\*
- If you want to exclude files from the allowlist, you can do that on the Exceptions page.
- Finally, enter a name for the rule and a description.
- Click Create to add the new rule.
Once the policies are synchronized at the endpoint, uberAgent’s scripts should run in FullLanguage
mode.
Ensure that allow-listed folders and scripts are read-only for regular users. This prevents privilege escalation and ensures PowerShell can execute scripts without modifications.