I’m not an expert, but I know pentesters that do this.
While they don’t need to be signed by default I think this can be changed, but I don’t remember where.
I think one of the main things people I know use is Invoke-Obfuscation to obfuscate powershell scripts. For actually running the script XSL and HTA work well.
There are things you can do to stop this working as well; like enabling script block logging, using constrained language mode and disabling powershell 1 (you can bypass the constrained mode by running the script with powershell 1 instead of a later one).
While by default powershell’s execution policy will not allow scripts it is trivial to bypass with something like
powershell.exe -exec bypass
There is also a script called Revoke-Obfuscation which tries to detect obfuscation to block scripts using it.
There is also the anti malware scan interface being used by windows defender and others, but that can be bypassed.
It might also be worth pointing out that Microsoft is doing some machine learning cloud stuff with windows defender that can be used (only in the buisness versions iirc) this also works with powershell scripts and office macros.