PowerShell ExecutionPolicy Bypass

PowerShell ExecutionPolicy Bypass

Recently I was discussing with colleagues popular ways to bypass PowerShell's ExecutionPolicy restrictions.  I realized that I had not gone through and blogged about these bypasses, and thought it would be a fun blog post for today. By default PowerShell is configured to prevent the execution of PowerShell scripts on Windows systems.  Which could prevent an engineer or developer from running PowerShell scripts locally on their machines.  PowerShell has become a target for many attackers because it is built into most machines, and one can live off the land if you will.  By learning some common bypass methods it will help an attacker or info sec professional hop over this false protection policy.  

What is the Execution Policy?

According to Microsoft, the execution policy is part of the security strategy of PowerShell. It determines whether you can load configuration files (including your PowerShell profile) and run scripts, and it determines which scripts, if any, must be digitally signed before they will run.  It should be noted that Microsoft has gone on record saying that the ExecutionPolicy was never intended to be a security control.  

In order to change the PowerShell Execution Policy you have to start PowerShell as an administrator and run the following command Set-ExecutionPolicy -ExecutionPolicy RemoteSigned. You can also set the RemoteSigned to unrestricted, but it is discouraged by Microsoft.

Alright, but what if you are not an administrator yet?  You have basic low privilege access to a Windows machine, and you need to upgrade your shell to something more stable, or to add some Empire persistence.  How can you change the ExecutionPolicy?

Viewing the Execution Policy

In order to get an idea of what the current machine or profile's ExecutionPolicy is already set to we can simply run the following commands.  

PS C:> Get-ExecutionPolicy

Get-ExecutionPolicy -List | Format-Table -AutoSize

For testing I will be running a simple command that will echo "Hello, World" to the screen and launch the calculator executable.   The commands below will be saved as test.ps1 .

Write-Host "Hello, World"

For demonstration purposes I have run the test.ps1 file to show that the ExecutionPolicy is current set to restricted.

In the second screenshot, this is to demonstrate that I am running PowerShell as a low privilege user, and cannot set the ExecutionPolicy without elevating privileges.  

Ways to Bypass Restrictions

  1. Paste straight into the PowerShell Window (Warning:  There is a length limit of a single command.  2047 or 8191 depending on O/S version).

2. Echo the Script and Pipe it to PowerShell Standard In

3. Read Script from a File and Pipe to PowerShell Standard In

4. Download Script from URL (Remote and Local) and Execute with Invoke Expression

5. Use the Command Switch

6. Use the EncodeCommand Switch

7. Use the Invoke-Command Command

8. Use the Invoke-Expression Command

9. Use the “Bypass” Execution Policy Flag.  In terms of Bypass this might be the funniest one, and best suited to show that Microsoft never meant for this to be a real security control.

10. Disable ExecutionPolicy by Swapping out the AuthorizationManager

11. Set the ExcutionPolicy for the Process Scope

There are of course other ways to perform the ExecutionPolicy Bypass, but hopefully this helps start to understand how easy it is to side step this restriction.  Just a reminder to that Microsoft never intended for ExecutionPolicy to be a security control.  Until next time!  

Ryan Villarreal

About Ryan Villarreal