uberAgent

PowerShell Constrained Language mode

This document explains how to use uberAgent with PowerShell’s Constrained Language mode enabled.

Understanding Constrained Language Mode

PowerShell Constrained Language mode is a security feature that restricts access to sensitive language elements that can be used to invoke arbitrary Windows APIs. These features are often required to perform sophisticated cyber attacks. For a detailed description, see this Microsoft blog post.

Impact on uberAgent

uberAgent relies on PowerShell for collecting various metrics, such as details related to Citrix or Custom Scripts. The required data is accumulated via multiple APIs, most of which need full access to PowerShell’s capabilities.

Identifying Potential Issues

If you encounter problems in this context, you will notice the following keywords near powershell.exe in uberAgent’s log files:

  • PermissionDenied
  • PSNotSupportedException

The above keywords indicate issues that may have arisen due to the limitations imposed by Constrained Language mode in PowerShell.

How to use Constrained Language Mode With uberAgent

Constrained Language mode is often implemented by system-wide application control tools, such as AppLocker or Windows Defender Application Control. These tools can also remove the restrictions for files and folders you trust, allowing full command functionality for those particular files.

AppLocker

If AppLocker is used for application control, you can allow-list uberAgent’s PowerShell scripts with the following steps:

  1. Open the Group Policy editor.
  2. Navigate to Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Script Rules.
  3. Create a new rule

    1. Action: Allow
    2. You can choose between Publisher (4) and Path (5)
  4. Did you choose Publisher?

    1. Select an uberAgent script, e.g., C:\ProgramData\vast limits\uberAgent\Configuration\Security inventory\Windows\Antivirus\Antivirus.ps1
    2. Set the slider to Publisher
  5. Did you choose Path?

    1. Select Browse Folders
    2. Select a folder e.g., %OSDRIVE%\ProgramData\vast limits\uberAgent\Configuration\Security inventory\*
  6. If you want to exclude files from the allowlist, you can do that on the Exceptions page.
  7. Finally, enter a name for the rule and a description.
  8. Click Create to add the new rule.

Once the policies are synchronized at the endpoint, uberAgent’s scripts should run in FullLanguage mode.

Ensure that allow-listed folders and scripts are read-only for regular users. This prevents privilege escalation and ensures PowerShell can execute scripts without modifications.

PowerShell Constrained Language mode