Introduction

A significant security vulnerability has been identified in Windows 11 24H2, affecting the enforcement mechanisms of PowerShell scripts under AppLocker and Windows Defender Application Control (WDAC). This flaw allows scripts to execute in Full Language Mode, bypassing the intended Constrained Language Mode, thereby exposing systems to potential security risks.

Background on AppLocker and WDAC

AppLocker is a Windows feature that enables administrators to control which applications and scripts can run on a system. By defining rules, AppLocker helps prevent unauthorized software execution, thereby enhancing security. Windows Defender Application Control (WDAC) extends this functionality by enforcing code integrity policies, ensuring that only trusted code runs on the system. Both tools are integral to maintaining a secure Windows environment.

The Security Flaw in Windows 11 24H2

In Windows 11 24H2, a critical issue has emerged where PowerShell scripts, which should be restricted by AppLocker or WDAC policies, are executing without these constraints. This behavior is due to changes in how PowerShell determines its execution mode.

Technical Details

PowerShell operates in different language modes:

  • Full Language Mode: Provides unrestricted access to all PowerShell features.
  • Constrained Language Mode: Restricts access to certain features to limit the potential for malicious use.

Traditionally, PowerShell checks for AppLocker policies to decide whether to run in Constrained Language Mode. However, in Windows 11 24H2, PowerShell uses a new API, INLINECODE0 , to determine execution policies. This API change inadvertently causes PowerShell to default to Full Language Mode, even when AppLocker or WDAC policies are in place.

Implications and Impact

The primary concern is that scripts, including potentially malicious ones, can execute without the intended restrictions, increasing the risk of:

  • Privilege Escalation: Unauthorized elevation of user privileges.
  • Lateral Movement: Spread of malicious activity across networks.
  • Execution of Malicious Code: Running of harmful scripts that could compromise system integrity.

Microsoft's Response and Recommendations

Microsoft has acknowledged this issue and is working on a fix. In the interim, administrators are advised to:

  1. Monitor PowerShell Activity: Keep an eye on script executions and look for anomalies.
  2. Implement Additional Security Measures: Use other security tools to monitor and control script execution.
  3. Stay Updated: Apply patches and updates as they become available to address this vulnerability.

Conclusion

The discovery of this flaw underscores the importance of continuous monitoring and updating of security policies and systems. Administrators should remain vigilant and proactive in applying security measures to protect their environments.