Comment by AshamedCaptain
Comment by AshamedCaptain 14 hours ago
I do not understand how this works. I thought the default PS policy on all versions of Windows was not to run "unsigned" PS scripts by default (precisely for this reason). Or at least I've personally seen that a myriad times.
So, are these malware scripts signed, has MS relaxed the default PS policy, do users relax it, or has this malware found another way around it?
The attack has the user paste content into the Windows run dialog. That could include spawning an admin Powershell and running `Set-ExecutionPolicy -ExecutionPolicy Unrestricted` before running a remote script. Or more likely what nullindividual said - the download and start of the exe is entirely contained in what the user is pasting in.