none
Latest updates indicated Peasecto.A infection ???

    Question

  • after updating the latest signatures, I got a message from Windows Defender indicating I had a malware. That was a PowerShell remoting trojan (!) but no worries Windows Defender can remove it for you ...

    I really want to know how the infection got on my computer in the first place?  

    PowerShell Remoting trojan is like a huuuuuge risk and danger?

    Looking it up on google give you 0 results?    Try yoursef :  "PeaSecto.a"

    Now what I want to learn is whether this something Microsoft/Windowd Defender team invented themself?   Because you cannot find any information at all anywhere else. 

    How real is this malware?  I consider myself to be a true expert when it comes to security and I haven't gotten an infection on my devices for the past decade without running antivirus solutions.  

    This is a primer for me ...   a powershell remoting trojan ...   which I use daily ..   that got there mysteriously  ...   and nobody knows what can be done to avoid infection ?

    OR ....  Any feedback at is welcome  ..   I still have the device for forensics pupose .. 

    link to only ms info :  

    https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3aPowerShell%2fPeasecto.A&threatid=2147725478&enterprise=1


    Best regards, David



    Saturday, January 27, 2018 6:58 PM

Answers

  • This issue is resolved in a current definition update.

    PS C:> Get-MpComputerStatus | select anti*
    
    AntispywareEnabled              : True
    AntispywareSignatureAge         : 0
    AntispywareSignatureLastUpdated : 1/28/2018 8:28:36 PM
    AntispywareSignatureVersion     : 1.261.424.0
    AntivirusEnabled                : True
    AntivirusSignatureAge           : 0
    AntivirusSignatureLastUpdated   : 1/28/2018 8:28:37 PM
    AntivirusSignatureVersion       : 1.261.424.0

    • Marked as answer by David De Vos Monday, January 29, 2018 10:36 AM
    Monday, January 29, 2018 6:37 AM

All replies

  • We are seeing this as well - all but certain this is a bad signature causing false positives.  It's also causing services to terminate unexpectedly:

    Windows Remote Management (WS-Management).
    Network Location Awareness
    Workstation
    DNS Client
    Cryptographic Services

    It says PowerShell/Peasecto.A - I'm thinking some of our automation or monitoring tooling is triggering this, at which point Defender attempts to 'clean' wsmprovhost.exe resulting in failure in Win-RM and it's dependent services.  

    I see this was introduced on a signature update on Jan 26th: https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes 

    Microsoft - can we please get a response on this one please?

    Sunday, January 28, 2018 5:55 PM
  • Even the MSOnline module stops working. If I run Find-Module it complains about PowerShellGet module. Trying to import that module and got the error:

    Import-Module : Could not find a part of the path 'C:\Users\User\AppData\Local\Temp\tmp_fbqndse1.nsg\tmp_fbqndse1.nsg.format.ps1xml'.

    And Windows Defender warns with this message:


    Sunday, January 28, 2018 8:36 PM
  • I came across this thread after trying to install 'Microsoft Azure Active Directory Module for PowerShell' from http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=59185

    Running Windows Defender on latest Window 10 Pro. The download is flagged as containing a virus.

    If the MSI is installed when starting 'Microsoft Azure Active Directory Module for PowerShell' it fails as C:\Windows\system32\WindowsPowerShell\v1.0\Modules\MSOnline\MSOnline.psd1  has been quarantined.

    If I restore it, I can stop the file being flagged as a virus by removing the first comment line.

    As per previous post, this looks like false positive, but need Microsoft to review and comment.

    Sunday, January 28, 2018 9:57 PM
  • +1 - I've also just received this alert after installing the latest version of PowerShell Core.
    Sunday, January 28, 2018 10:23 PM
  • I recently updated Visual Studio Code to 1.19.3 and also receive this alert, referring to PSScriptAnalyzer.psd1

    EDIT, if you run

    import-module msonline

    You can trigger the alert (presumably only once). I wonder if it was a digital signature used in these psd1 files?


    Mike Crowley | MVP
    My Blog -- Baseline Technologies



    Sunday, January 28, 2018 11:22 PM
  • Yeah we're seeing this from our own scripts and some community PowerShell modules starting Jan 25th @ 8:20 AM EST

    Quick fix:

    Depending on your risk appetite, you could disable the piece of Defender that handles this:

    Set-MpPreference -DisableIOAVProtection $True

    Do be sure to revisit if you end up changing that.

    I've asked around if there's some manner of dealing with false positives outside of disabling that - ideally we don't throw out everything for a few false positives, and submitting to MS, while possible, isn't a reasonable solution for us (I can't just not have important automation and monitoring tasks running until something is identified as innocuous).

    Indications most of these are false positives:

    Do investigate to ensure it's not malicious, but this has been reported by a number of folks: 

    Some detections point out files, others are triggered by amsi and require you to correlate using PowerShell event logs, scheduled tasks, sysmon logs, or whatever way you have of knowing which script/code was running.

    Two questions out of this from me:

    • How do we whitelist certain scripts or code that _must_ run, regardless of whether amsi thinks it's nefarious?  Do exceptions waive amsi protection?
    • How do we quickly tie amsi detections back to something real?  E.g. a process, a file if from a script, etc.  Understand that this might be difficult or not possible in all cases.

    Cheers!




    Monday, January 29, 2018 12:14 AM
  • This issue is resolved in a current definition update.

    PS C:> Get-MpComputerStatus | select anti*
    
    AntispywareEnabled              : True
    AntispywareSignatureAge         : 0
    AntispywareSignatureLastUpdated : 1/28/2018 8:28:36 PM
    AntispywareSignatureVersion     : 1.261.424.0
    AntivirusEnabled                : True
    AntivirusSignatureAge           : 0
    AntivirusSignatureLastUpdated   : 1/28/2018 8:28:37 PM
    AntivirusSignatureVersion       : 1.261.424.0

    • Marked as answer by David De Vos Monday, January 29, 2018 10:36 AM
    Monday, January 29, 2018 6:37 AM
  • +1 for resolution with the definition update 1.261.424.0
    Monday, January 29, 2018 7:31 AM
  • I just another message that I am infected this morning 29/01 at 10 AM while my signatures are updated?

    Windows Defender Antivirus has detected malware or other potentially unwanted software.

    For more information please see the following:

    https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:PowerShell/Peasecto.A&threatid=2147725478&enterprise=1

    Name: Trojan:PowerShell/Peasecto.A

    ID: 2147725478

    Severity: Severe

    Category: Trojan

    Path: amsi:_PowerShell_C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe_10.0.16299.150000000000000014

    Detection Origin: Unknown

    Detection Type: Concrete

    Detection Source: AMSI

    User: NT AUTHORITY\SYSTEM

    Process Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

    Signature Version: AV: 1.261.404.0, AS: 1.261.404.0, NIS: 118.2.0.0

    Engine Version: AM: 1.1.14500.5, NIS: 2.1.14202.0


    Best regards, David

    Monday, January 29, 2018 10:35 AM
  • After updating again I am now on 1.261.427.0 and seems to be resolved for now .. 

    Best regards, David

    Monday, January 29, 2018 10:36 AM
  • Update the AV Definition using the Windows Defender.
    Monday, January 29, 2018 6:19 PM
  • I'm currently on:

    AntispywareEnabled              : True
    AntispywareSignatureAge         : 0
    AntispywareSignatureLastUpdated : 1/29/2018 7:56:15 AM
    AntispywareSignatureVersion     : 1.261.441.0
    AntivirusEnabled                : True
    AntivirusSignatureAge           : 0
    AntivirusSignatureLastUpdated   : 1/29/2018 7:56:16 AM
    AntivirusSignatureVersion       : 1.261.441.0

    Still not working. Defender still blocks the download and if i force the download the install happens but the module gets flagged again and removed. Thoughts? I have rebooted three times and still no change.

    Monday, January 29, 2018 7:07 PM

  • Different modules are getting fixed in different updates. Anyone that is still having issues, list both the module and the current version of your definitions.

    Get-MpComputerStatus | Select AntivirusSignature*

    Broken modules will need to get re-installed. If Defender is still blocking a module, it will not let you install it.

    I have been tracking additional info here: https://kevinmarquette.github.io/2018-01-28-Powershell-windows-defender-peasceto-powershell


    Monday, January 29, 2018 8:00 PM
  • AntivirusSignatureAge AntivirusSignatureLastUpdated AntivirusSignatureVersion
    --------------------- ----------------------------- -------------------------
                        0 1/29/2018 1:14:38 PM          1.261.452.0

    Defender still blocking MSOnline powershell module install.

    Monday, January 29, 2018 10:29 PM
  • Same version string for me and still can't use MSOnline module too... 
    Tuesday, January 30, 2018 12:23 AM
  • This same thing happened to me, using VS Code, and I'm on the latest AV sigs..:


    AntispywareEnabled              : True
    AntispywareSignatureAge         : 0
    AntispywareSignatureLastUpdated : 1/29/2018 7:33:41 PM
    AntispywareSignatureVersion     : 1.261.470.0
    AntivirusEnabled                : True
    AntivirusSignatureAge           : 0
    AntivirusSignatureLastUpdated   : 1/29/2018 7:33:42 PM
    AntivirusSignatureVersion       : 1.261.470.0

    Tuesday, January 30, 2018 3:28 AM
  • It has been resolved in the latest signature update.

    The updated information has been posted here: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:PowerShell/Peasecto.A

    You can see if you have quarantined files (if PowerShell hasn't been blocked):

    Get-MpThreatDetection | ? {$_.Resources -match "((\\MSOnline\.psd1$)|(^amsi\:_PowerShell\S*\\powershell.exe))" -and $_.ThreatID -eq "2147725478" }


    ActionSuccess                  : True
    AdditionalActionsBitMask       : 0
    AMProductVersion               : 4.12.17007.18011
    CleaningActionID               : 2
    CurrentThreatExecutionStatusID : 1
    DetectionID                    : {273B282A-6599-4F06-A9FC-C3143B27B68D}
    DetectionSourceTypeID          : 10
    DomainUser                     : NORTHAMERICA\aaguilme
    InitialDetectionTime           : 1/29/2018 8:58:26 PM
    LastThreatStatusChangeTime     : 1/29/2018 8:59:09 PM
    ProcessName                    : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    RemediationTime                : 1/29/2018 8:59:09 PM
    Resources                      : {amsi:_PowerShell_C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe_10.0.16299
                                     .150000000000000009}
    ThreatID                       : 2147725478
    ThreatStatusErrorCode          : 0
    ThreatStatusID                 : 3
    PSComputerName                 :

    ActionSuccess                  : True
    AdditionalActionsBitMask       : 0
    AMProductVersion               : 4.12.17007.18011
    CleaningActionID               : 2
    CurrentThreatExecutionStatusID : 1
    DetectionID                    : {38E50D79-0FDE-47A1-8FF0-926D58489D82}
    DetectionSourceTypeID          : 3
    DomainUser                     : NORTHAMERICA\aaguilme
    InitialDetectionTime           : 1/29/2018 8:47:59 PM
    LastThreatStatusChangeTime     : 1/29/2018 8:48:43 PM
    ProcessName                    : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    RemediationTime                : 1/29/2018 8:48:43 PM
    Resources                      : {file:_C:\Program Files\WindowsPowerShell\Modules\MSOnline\1.1.166.0\MSOnline.psd1}
    ThreatID                       : 2147725478
    ThreatStatusErrorCode          : 0
    ThreatStatusID                 : 3
    PSComputerName                 :

    You'll need to inuquarantine the affected files.

    Tuesday, January 30, 2018 2:13 PM
  • AKA update your definitions within Windows Defender.

    Thanks for the tip. Worked for me.

    Tuesday, January 30, 2018 5:58 PM