Suggestion : remove excution policy bypass

WinRb / winrm-elevated

Runs PowerShell commands as elevated over Windows Remote Management (WinRM) via a scheduled task

Apache License 2.0

27 stars 17 forks source link

Suggestion : remove excution policy bypass #47

Open fwininger opened 3 years ago

fwininger commented 3 years ago

Hi @mwrock, some EDR detect mallicious activities with the command

powershell.exe -executionpolicy bypass -NoProfile -File .\test.ps1

I understand that just remove -executionpolicy bypass throw a error with the windows default configuration, but I propose this change :

powershell.exe -noprofile -noninteractive -Command { Get-Content .\test.ps1 | iex }

Do you think that this approch seems correct ?

mwrock commented 3 years ago

What if you changed bypass to RemoteSigned. Would that make the EDR happy? Removing -executionpolicy bypass will break several scenarios where the execution policy is set to restricted.