PowerShell Archives

Winsage

August 15, 2025

Windows 11’s August update fails to install on some PCs. Here’s what you can do

Microsoft released the mandatory Windows 11 update KB5063878 for August, which includes the Quick Machine Recovery feature for remote troubleshooting of PCs. Users have reported installation issues, encountering error codes such as 0x80240069, 0x80240031, and 0x800f0922. Microsoft has acknowledged these as known errors, particularly affecting those using Windows Server Update Services (WSUS). The installation problems occur regardless of whether the system is newly installed or has been updated multiple times. Microsoft offers a temporary solution called "Known Issue Rollback" to revert the problematic update and suggests modifying the Windows registry or using a PowerShell script as a workaround. Users can also manually download the update from Microsoft's Update Catalog for immediate installation.

Winsage

August 13, 2025

Microsoft removes PowerShell 2.0 from Windows 11, Windows Server

Microsoft is removing PowerShell 2.0 from Windows 11 version 24H2 in August and from Windows Server 2025 in September. This follows its earlier removal for Windows Insiders in July 2025. Users relying on legacy scripts or software that depend on PowerShell 2.0 must update their systems or implement workarounds to avoid disruptions. PowerShell 5.1 and PowerShell 7.x will remain available and supported. Customers using older Microsoft server products like Exchange, SharePoint, and SQL Server will be directly affected. Microsoft recommends migrating scripts and tools to PowerShell 5.1 or 7 and replacing outdated software that requires PowerShell 2.0 support.

Winsage

August 10, 2025

Windows UAC Bypassed via Character Editor, Allowing Local Privilege Escalation

A cybersecurity researcher, Matan Bahar, has developed a method to bypass User Account Control (UAC) in Windows using the Private Character Editor (eudcedit.exe), which is located in C:WindowsSystem32. This utility, intended for creating user-defined characters, can be manipulated to grant attackers elevated privileges without user consent. The exploit takes advantage of the application manifest configuration of eudcedit.exe, which includes directives that allow the program to run with full administrative rights and enables an elevated PowerShell session. This method poses a significant security risk as it exploits a trusted Windows utility, highlighting vulnerabilities in Windows security architecture. Security professionals are advised to monitor unusual execution patterns related to eudcedit.exe and reconsider UAC configuration policies to mitigate such risks.

Winsage

August 5, 2025

APT37 Hackers Weaponizes JPEG Files to Attack Windows System Leveraging “mspaint.exe” File

A new variant of the RoKRAT malware, attributed to North Korea's APT37 group, utilizes advanced techniques such as steganography to hide malicious code within JPEG image files, complicating detection efforts. This malware is primarily distributed in South Korea through compressed archives containing Windows shortcut files that lead to a multi-stage infection process. The process involves executing PowerShell commands to decrypt and run the malware, which can inject itself into trusted Windows processes like mspaint.exe and notepad.exe, leaving minimal forensic traces. The malware also exfiltrates sensitive information using legitimate cloud APIs, making attribution difficult. APT37 has demonstrated adaptability by changing its injection targets and camouflaging its development artifacts, highlighting the need for advanced Endpoint Detection and Response (EDR) solutions and proactive security measures.

Winsage

August 4, 2025

Malware disguises itself as an innocent photo on Dropbox. APT37’s steganographic strategy

Specialists at the Genians Security Center have identified a new version of the RoKRAT malware linked to the North Korean APT37 group. This version uses steganography to hide its code in JPEG images, allowing it to bypass antivirus systems. The infection begins with a malicious .LNK link in a ZIP archive, which contains a large .LNK file that misleads users. The malware employs various encrypted components, including shellcode, PowerShell scripts, and batch files. Upon execution, PowerShell decrypts the shellcode using a XOR operation, and the malware injects itself into legitimate Windows processes without leaving traces on the disk. The RoKRAT loader is embedded in a JPEG image hosted on Dropbox, and it uses a double XOR transformation to extract the shellcode. The malware is activated through sideloading techniques using legitimate utilities and downloads from cloud platforms. RoKRAT can collect data, take screenshots, and transmit them to external servers. Recent samples have targeted “notepad.exe” for code injection, indicating ongoing development. Endpoint detection and response (EDR) systems are essential for monitoring unusual activities and protecting against these sophisticated attacks, as traditional defenses are inadequate.

Winsage

August 4, 2025

North Korea Hiding Malware Within JPEG Files to Attack Windows Systems Bypassing Detections

Security researchers at Genians Security Center discovered a new variant of the RoKRAT malware linked to the North Korean APT37 threat group. This malware uses steganography to hide malicious payloads within JPEG files, allowing it to evade traditional antivirus detection. It is typically distributed through malicious shortcut files within ZIP archives, often disguised as legitimate documents. The malware employs a two-stage encrypted shellcode injection method, utilizing PowerShell and batch scripts to execute its payloads in memory. It collects system information, documents, and screenshots, exfiltrating data via compromised cloud APIs. The command and control accounts associated with the malware are linked to Russian email services. Variants of RoKRAT have evolved to include different injection methods and reference specific PDB paths. Indicators of compromise include various MD5 hashes associated with the malware.

Winsage

August 3, 2025

5 Windows PowerShell commands every power user should know

Microsoft has transitioned from the traditional command prompt to Windows PowerShell, a command-line interface tool designed for scripting and task automation. Key commands in PowerShell include: 1. Get-Process: Retrieves information about processes running on a local computer or a remote server, including process names, IDs, CPU usage, and memory consumption. Example usage includes filtering processes by memory usage or specific applications. 2. Get-Command: Lists all available commands within PowerShell, including cmdlets, functions, aliases, and scripts. It helps users discover commands for specific tasks. 3. Set-ExecutionPolicy: Configures the PowerShell script execution policy, determining whether scripts can run and under what conditions. It allows power users to adjust policies for executing custom scripts. 4. Get-EventLog: Accesses detailed system logs for troubleshooting errors or auditing system activity, including warnings and security breaches. It can filter logs based on criteria like log name and entry type. 5. Where-Object: Filters objects in a pipeline based on specified conditions, allowing users to narrow down results for analysis, reporting, and automation. It can be combined with other commands for enhanced functionality.

Winsage

July 30, 2025

Secure Windows with Microsoft’s Security Compliance Toolkit

The Microsoft Security Compliance Toolkit is a suite of tools for administrators to assess Group Policy Objects (GPOs) against Microsoft's security baselines, helping to identify discrepancies and implement secure settings. It includes tools such as the Policy Analyzer, Local Group Policy Object (LGPO) utility, and Set Object Security application. Administrators can download the toolkit from Microsoft's website, which contains zip files for various security baseline packages. The Policy Analyzer compares GPOs with local security policies to identify inconsistencies, while the LGPO tool manages local security policies and allows for policy backup and verification. The Set Object Security tool applies security descriptors to objects like files and folders. For Windows Server, administrators should test security baselines in non-production environments before deployment. With Windows Server 2025, the OSConfig platform allows for direct application of security baselines through PowerShell, simplifying the update process and maintaining compliance.

Winsage

July 23, 2025

3 easy ways to turn Windows Terminal shells from drab to drip — customize both PowerShell and WSL with these same tools

- The Starship prompt enhances the command line experience with a sleek design, customization options, and compatibility across different shells. It requires a NerdFont for effective operation and can be installed via the Windows Package Manager for PowerShell or various package managers for WSL. Configuration involves adding specific commands to shell profiles and creating a configuration file. - Fastfetch is a lightweight system information display tool that serves as a modern alternative to Neofetch, supporting both Windows and Linux. Installation can be done through various package managers, and configuration is achieved by generating a config file. - Windows Terminal on Windows 11 can be customized for a more personalized experience, including theme changes, font adjustments, and transparency. Customizations can be made via the GUI or by editing a JSON configuration file. - To use Starship and Fastfetch upon startup in PowerShell, a PowerShell profile must be created using a specific command, allowing users to add necessary commands for these tools.

Winsage

July 21, 2025

Managing Windows Firewall Rules with PowerShell, Part 3: Creating a Baseline

The text discusses managing Windows firewall rules using PowerShell, particularly focusing on exporting firewall rules to a CSV file and comparing current configurations against a baseline. A PowerShell script is provided that retrieves all existing firewall rules, compiles their details into custom objects, and exports them to a CSV file. Another script is designed to compare a baseline CSV file of firewall rules with a current CSV file, checking for changes in various fields and identifying deleted rules. The script outputs any modifications found and notes if a rule has been deleted. It also mentions potential enhancements for handling new rules and duplicate rule names.