What is the PowerShell Execution Policy?
The PowerShell execution policy is the setting that determines which type of PowerShell scripts (if any) can be run on the system. By default it is set to "Restricted",
which basically means none. However, it's important to understand that the setting was never meant to be a security control. Instead, it was intended to prevent administrators from shooting themselves in the foot. That's why there are so many options
for working around it. Including a few that Microsoft has provided. For more information on the execution policy settings and other default security controls in PowerShell I suggest reading Carlos
Perez's blog. He provides a nice overview.
Why Would I Want to Bypass the Execution Policy?
Automation seems to be one of the more common responses I hear from people, but below are a few other reasons PowerShell has become so popular with administrators, pentesters, and hackers. PowerShell is:
-
Native to Windows
-
Able to call the Windows API
-
Able to run commands without writing to the disk
-
Able to avoid detection by Anti-virus
-
Already flagged as "trusted" by most application white list solutions
-
A medium used to write many open source Pentest toolkits
How to View the Execution Policy
Before being able to use all of the wonderful features PowerShell has to offer, attackers may have to bypass the "Restricted" execution policy. You can take a look at the current configuration with the "Get-ExectionPolicy" PowerShell
command. If you're looking at the setting for the first time it's likely set to "Restricted" as shown below.
<textarea class="crayon-plain print-no" data-settings="" readonly="readonly" style="box-sizing:border-box;color:#000000;margin:0px;vertical-align:middle;border:0px;border-radius:0px;padding:0px 5px;width:748px;height:64.5px;box-shadow:none;transition:border
0.2s linear, box-shadow 0.2s linear;cursor:not-allowed;opacity:0;word-wrap:normal;resize:none;tab-size:2;font-family:Monaco, MonacoRegular, 'Courier New', monospace !important;font-size:13px !important;line-height:15px !important;background-image:initial;background-attachment:initial;background-size:initial;background-origin:initial;background-clip:initial;background-background-repeat:initial;"></textarea>
1
2
3
|
PS
C:>
Get-ExecutionPolicy
|