Windows 10: active 'Amsiglob' malware in a PowerShell script was prevented from executing via AMSI

Upon checking the device timeline in defender I observed the following activities:SenseIR.exe was observed initiating secure TLS connections to the following URLs: https://winatp-gw-neu.microsoft.comhttps://automatedirstrprdneu.blob.core.windows.net Followed by the below given activities: SenseIR.exe launched a secondary PowerShell interpreter named senseir.exe child processThis child process subsequently spawned powershell.exepowershell.exe created a temporary script file:__PSScriptPolicyTest_vlfnmxrs.nl1.ps1 Followed by multiple powershell commands which showed the following behaviour: Con

:)

 

Unable to execute the Powershell scripts on Windows 11

Hi,

I am trying to execute the "Powershell" scripts on Windows 11 which was working great in Windows10.

But, I am unable to execute it on Windows 11.

So, I have tried executing the PS1 script is multiple ways,

1. Right click -> Run Powershell

=> Powershell screen was blinked and gone.

2. Launched the Powershell cmdlet with administrator and navigated to the script file location. Then executed the PS1 file.

=> refer the image for the error when we execute the script.

3. Finally, I tried changing the execution policy using the Powershell cmdlet and I was able to execute my script (which was working in win10).

Here, my question is the same script is working fine with Win10 without changing any policy. Then why it is not working with Win11 .

1. Why it is required to change the policy ?

2. Is it possible to execute the script in win11 without changing the policy ?

3. What would be the root cause ? why is is not allowed ?

4. What is the default execution policy for win 10 and win11 ? how it differs on execution?

Please help me to understand the Powershell behavior and root cause of the problem.

 

Unable to execute the Powershell scripts on Windows 11

In Windows 10, when I execute the PowerShell script, Execution policy is "Undefined" and I could see the "disable" error message .

Even though, I am able to execute the PowerShell script content.

 

Issue faced when PowerShell script executed through SQL Server Agent Job

I have a PowerShell script that searches for an excel file at a particular location, if found copies it as a CSV file to another location.

This CSV is used as a source in ADF - Copy Activity.

This script is not interacting with any database, nor performing any db tasks - just reading an excel and converting it to CSV at particular location.

It is working fine as intended, when executed through PowerShell ISE, but when I scheduled it as a SQL server agent job it is not doing anything. The job successfully as per the message in Job History, but it does not do anything. The message says :

=====================================================================================

Message

The job succeeded. The Job was invoked by User PMCI\VermaRachna. The last step to run was step 1 (Load_Radiotherapy_Machine_Utilization_File_Org_Src).

Message

Executed as user: PMCI\SVC_DASH_SQLDevAGT. The step did not generate any output. Process Exit Code 0. The step succeeded.

=====================================================================================

I have scheduled the Job with type as "Powershell" and the script code is pasted in Command area of the Job Step.

Since I am not getting any error message how do I know what is the issue due to which script is not doing anything when run through SQL Server agent job. Can some one help with this please. I can share the script code if required.