I'm sure there are still many skills missing (or I don't know at all), but I hope this article can provide a good start for those who need it.
What is a PowerShell execution strategy?
PowerShell execution policies are used to determine which types of PowerShell scripts can be run in the system. By default, it is "restricted". However, this setting has never been considered as a security control. On the contrary, it will hinder the operation of the administrator. That's why we have so many ways to bypass it. Including some provided by Microsoft. For more information about implementing policy settings and default security control settings in PowerShell. I suggest reading Carlos Perez's blog. He provided a good overview.
Why should we bypass the implementation policy?
The reason I hear most is that people want automation, but there are other reasons why PowerShell is so popular among administrators, penetration testers and hackers:
Support window
Windows API can be called.
You can run commands without writing to disk.
Virus detection can be avoided.
Always marked as "trust". Is a member of the whitelist of most applications.
He has written many open source penetration test toolkits.
How to view the execution policy
Attackers can bypass "restricted" execution before they can use all the perfect functions of PowerShell.
Policy. You can view the current configuration through the PowerShell command "executionpolicy". If you view it for the first time, its setting may be set to.
"Limited", as shown in the figure below.
PS C:& gt; Get the execution policy
In addition, it is worth noting that the implementation strategy can set different levels in the system. To see the list of commands they use below. For more information, please click here to view Microsoft's "Set-ExecutionPolicy".
get-execution policy-List | Format-Table-AutoSize
Description of experimental environment
In the following example, I will use a script named runme.ps 1, which will contain the following PowerShell commands to write messages to the console:
Write-host "My voice is my passport, verify me."
When I tried to execute it on a system with a default execution policy, I got the following error:
If your present death penalty
The policy is open, and you want it to test the following skills more strictly, and then run the command "Set-ExecutionPolicy" from the administrator PowerShell console.
Restricted. Ok, I will continue BB, and then I will bypass the restriction of PowerShell execution strategy by 15.
Bypass PowerShell to execute the policy
1. Paste the script directly into the interactive PowerShell console.
Copy and paste the PowerShell script into the interactive console, as shown below. However, remember that you will be limited by the current user rights. This is the most basic example. When you have an interactive console, you can run scripts conveniently and quickly. In addition, this technology does not change the configuration and does not need to be written to disk.
2. Echo script and standard input of 2.PowerShell
Standard input from simple echo script to PowerShell. This technique does not cause configuration changes and does not require writing to disk.
Echo Write-Host "My voice is my passport, verify me." | PowerShell.exe- no outline-
3. Read the script from the file and input it through PowerShell standard.
Use the "type" command of Windows or the "Get-Content" command of PowerShell to read your script from the disk and input it into the standard.
In PowerShell, this technology will not change the configuration file, but it needs to be written to disk. However, if you want to avoid writing to disk as much as possible, you can read your scripts from the network.
Example 1:Get-Content Powershell command
get-Content . run me . PS 1 | PowerShell.exe-no profile-
Example 2: Type a command
TYPE . run me . PS 1 | PowerShell.exe-no profile-
4. Download the script from the network and execute it through IEX.
This technology can be used to download PowerShell scripts from the Internet and execute them without writing to disk. It also does not cause any configuration changes. I've seen many creative ways to use it, but recently I saw it quoted by a good PowerSploit blog by Matt Graeber.
Powershell -nop -c "iex (new object network. WebClient)。 Download string ('mand' write-host' My voice is my passport. Verify me. ”"
Example 2: Short Command
Powershell-c "write-host" My voice is my passport. Verify me. ”"
Use coded commands
This is very similar to using the "Command" command, but it provides Unicode/
Base64 encoded string. Encrypting your script in this way can help you bypass all the errors you will encounter when executing through the command. This technique does not change the configuration file and does not need to write a magnetic field.
Plates. The following example comes from Posh-SecMod.
Example 1: complete command
$command = "Write-Host' My voice is my passport. Verify me. ”" $bytes = [System。 Text.Encoding]::Unicode。 Getbytes ($ command) $ encoded command = [convert]:: to base 64 string ($ bytes) powershell.exe encoding command $ encoded command.
Example 2: Using coded strings in short commands
powershell.exe-Enc vwbyagkadablac 0 asabvahmadaagaccat QB 5 acaadgbvaggkaywblacaaa qbzacaabbqb 5 acaacabhahmacwbwag 8 acgb 0 acwaiab 2 guacgbpagyaeqagag 0 azqauacca
7. Use the call command command
I saw this interesting method on obscuresec's blog. This is a typical method performed through the interactive PowerShell console. But the coolest thing is that when PowerShell remoting is turned on, I can use it to execute commands on remote systems. This technique does not cause configuration changes and does not require writing to disk.
Invoke-command-script block {write-host "My voice is my passport, verify me." }
According to the obscuresec blog, the following command can also be used to obtain the execution policy from the remote computer and apply it to the local computer.
invoke-command-computer name server 0 1-script block { get-execution policy } | set-execution policy-force
8. Use the call expression command
This is another typical method performed through the interactive PowerShell console. This technique does not cause configuration changes and does not require writing to disk. Below I list some common ways to bypass the execution strategy by calling expressions.
Example 1: Complete command using Get-Content
Get-content.runme.ps1| invoke-expression
Example 2: A short command to use Get-Content
GC .runme.ps 1 | iex
9. Use the "bypass" mark to execute the policy.
This is a good way to bypass the execution strategy when you execute commands through script files. When you use this sign, "nothing stops, there is no warning or hint". This technique does not cause configuration changes and does not require writing to disk.
PowerShell.exe- execute policy bypass -File .runme.ps 1
10. Mark the execution policy with "Unlimited"
This is similar to the Bypass tab. When you use this tag, it will "load all configuration files and run all scripts". If you run unsigned scripts downloaded from the Internet, it will prompt you for permission. This technology does not cause configuration changes and does not require writing to disk.
PowerShell.exe- unlimited execution policy -File .runme.ps 1
1 1. Mark the execution policy with "Remote Signature".
Create your script and follow the tutorial. Finally, run it with the following command:
PowerShell.exe- remote signature file for execution policy. runme.ps 1
12. Disable ExecutionPolicy by exchanging AuthorizationManager.
This is really an idea I got from http://www.nivot.org. The following functions can be performed through interactive PowerShell. Once the function
The called "AuthorizationManager" will be replaced with blank. The end result is that the next session is basically not implemented.
Policy restrictions. However, its change will be applied to the duration of the session.
The function disable-executionpolicy {($ CTX = $ executioncontext.gettype ()). Getfield("_context ","non-public, instance "). getvalue( $executioncontext))。 gettype()。 Getfield ("_ authorizationmanager", "non-public, instance"). Setvalue($ctx, (new object system. management . automation . authorization manager " Microsoft。 PowerShell ")} Disable-execution policy . runme . PS 1
13. Set ExcutionPolicy to process scope.
As we saw in the introduction, the execution strategy can be applied to multiple levels. This includes the process you control. Using this technique, the execution policy can be set to the duration of the session is infinite. In addition, it does not cause configuration changes or require writing to disk. I first discovered that this technology came from r007break blog.
Set-ExecutionPolicy bypasses scoped processes.
14. Set the ExcutionPolicy to the CurrentUser scope by command.
This method is similar to the above method. However, this method applies the settings of the current user's environment to the current user's environment by modifying the registry. In addition, it does not cause configuration changes or require writing to disk. I first discovered that this technology came from r007break blog.
Set-execution policy-scope currentuser-execution policy is unlimited.
15. Set ExcutionPolicy to CurrentUser scope through the registry.
In this example, I show how to change the execution strategy of the current user environment by modifying the registry key.
HKEY _ Current _ User \ Software \ Microsoft powershell \ 1 \ shell ids \ Microsoft. PowerShell
abstract
I think the theme here is that the execution strategy used is not necessarily developers, administrators or. Microsoft never intended to make it a security control. That's why there are so many options to bypass it. Microsoft has provided some local options and security communities well, and has also come up with some really interesting tricks.