During my last assessment i discovered a strange behaviour of Microsoft’s SmartScreen feature.
In general this security feature should block the execution of untrusted downloads from the internet (more details).

In fact it’s blocking the execution if you try to open an untrusted application through the gui (file explorer).

But if you execute the application through a command line tool such as cmd or powershell, the execution isn’t blocked xD

I already tweeted about this some days ago and Matt got a logical answer for this.

Anyway it’s a funny finding and most admins are not aware of this, so i decided to write this small blog post.