I love how a lot of Linux users go and make fun of windows security, but 90% of tutorials go around throwing sudos commands "because why not", with some of them even curling sh files from servers with weird domains.
And the weirdest thing? 99.999% of the time there is not malware involved... but it totally could. It reminds me of those towns where people go to work without locking their doors. It's beautiful and sketchy at the same time.
One file I can send to a non-tech-savvy coworker and they can double click and run. A PowerShell script refuses to run because nanny Microsoft is smarter than you.
Saw Powershell used recently for a Redline Stealer bootstrap. Someone made a game repack with "Advanced Installer" which is legit, but added a plugin DLL which lets them run PS with the same privileges. The installer was digitally signed and requested admin, since it was an installer of course.
The first thing the PS script did was to add Windows Defender exceptions to hide itself. And it worked beautifully. All the rest of the downloading, decrypting, and making the scheduled task to start Redline at user login succeeded.
The only tipoff was seeing Powershell.exe in task manager with a base64 encoded command line argument.
Any sufficiently advanced system administration tool is also powerful enough for a worm. The whole experience reminds me a lot of those early worms in the 2000s.
Man, I owe my career to that absolute shit-house of a language...and PowerShell. Thanks for hours and hours and hours of "fun", VBscript! I have a great life now because of you!
They should have commited Powershell to be fully Typed and put more energy in IDE to make it convenient to use as a script language. The "magic" make it confusing.
Agreed. Once you start to go "full PowerShell" (i.e. creating .NET objects entirely with PowerShell), you enter this weird middle-ground where you have the worst of a scripting language (weakly typed; interpreted at runtime; heavy; awkward to implement some algorithms) with the worst of an OOP-type language (dealing with objects, basically). At that point, you might as well break out VSCode and write some C# or something.
When will Microsoft fix the root cause, and stop with this 'Attack Vector' BS.
A running application should not, by default, have access to everything on disk (and every program running on the PC too). You will never annihalate every attack vector, especially when the limiting factor is dumb users.
To me this news reads like everyone who is intimately familiar with VBScript is retiring from MS and they're trying to get ahead of their own inability to maintain it.
20 comments
[ 6.2 ms ] story [ 493 ms ] threadPowershell can be configured to prevent those attack vectors.
Also hardly any different from people doing "curl | sudo sh" to install random stuff.
I love how a lot of Linux users go and make fun of windows security, but 90% of tutorials go around throwing sudos commands "because why not", with some of them even curling sh files from servers with weird domains.
And the weirdest thing? 99.999% of the time there is not malware involved... but it totally could. It reminds me of those towns where people go to work without locking their doors. It's beautiful and sketchy at the same time.
Totally.
Otherwise there are also settings that allow locally created files but block downloaded powershell files using NTFS alternate data stream tags.
The first thing the PS script did was to add Windows Defender exceptions to hide itself. And it worked beautifully. All the rest of the downloading, decrypting, and making the scheduled task to start Redline at user login succeeded.
The only tipoff was seeing Powershell.exe in task manager with a base64 encoded command line argument. Any sufficiently advanced system administration tool is also powerful enough for a worm. The whole experience reminds me a lot of those early worms in the 2000s.
A running application should not, by default, have access to everything on disk (and every program running on the PC too). You will never annihalate every attack vector, especially when the limiting factor is dumb users.