In my last post, I wrote about how setting the Execution Policy is not a viable security countermeasure, and is very easy to bypass by malicious actors. The examples provided work when the Execution Policy is set by running "Set-ExecutionPolicy"; however, it does not bypass an Execution Policy set by Group Policy.
This post will demonstrate a way to get around that as well.
Again, create 2 files under "C:\temp\" called "EP-Demo.ps1" and "EP-Demo.bat" and paste the following lines in them:
REM Put this in EP-Demo.bat powershell.exe -Command "$script = Get-Content C:\temp\EP-Demo.ps1 -Raw; . ([ScriptBlock]::Create($script))" pause
# Put this in EP-Demo.ps1 Write-Host "The Execution Policy is set to: $(Get-ExecutionPolicy)"
Go ahead and double-click on EP-Demo.bat to test that it works as-is.
For the next part, assuming you don't already have a Group Policy in place to disable scripts, let's go ahead and set that in Local Group Policy:
- Open the Run dialog and type "gpedit.msc" to open the Local Group Policy Editor
- Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell
- Double click on "Turn on Script Execution"
- Change the setting from "Not Configured" to "Disabled"
Once that's changed, double click on EP-Demo.bat again, and watch it still execute the script (showing the Execution Policy as "Restricted" this time).
Note: to change your Execution Policy back, simply change the setting back to "Not Configured" and your system will revert to the settings it had previously.
So, setting up code signing or disabling scripts entirely will not stop malicious actors from leveraging PowerShell. Although it does have some benefit in certain applications (such as automated scripting), it is not a real security countermeasure. If you are concerned with malicious actors leveraging PowerShell, much more effective countermeasures would be to ensure your machines are fully patched, and making sure you're following solid best practices such as disabling Office macros (one common attack vector).