How to check out who run powershell command remotely throng WRMAN RRS feed

  • Question

  • Hi,My server is hacked .some virus run powershell on my server.

    cmd  /c powershell -c Set-MpPreference -DisableRealtimeMonitoring $true;(get-wmiobject -class win32_networkadapterconfiguration -filter ipenabled=true).SetDNSServerSearchOrder(@('',''))
    powershell  -c Set-MpPreference -DisableRealtimeMonitoring $true;(get-wmiobject -class win32_networkadapterconfiguration -filter ipenabled=true).SetDNSServerSearchOrder(@('',''

    my antvirus soft stop it.I want to check out which server was hacked to run powershell on my server. all my server are in the same Domain.

    thank you 



    • Edited by Chivas_Tan Wednesday, April 29, 2020 1:57 AM
    Wednesday, April 29, 2020 1:48 AM

All replies

  • Please contact your AV vendor for assistance.  This is not an AV forum and there is no way we can help you with this.


    Wednesday, April 29, 2020 2:38 AM
  • Thank s for your help.

    Is there any powershell log to view ?

    Do you know how to moniter powershell run?


    Wednesday, April 29, 2020 4:51 AM
  • Wednesday, April 29, 2020 9:15 AM
  • You could run

    netstat -ano 1 | sls 5985 

    (or 5986 whichever winrm port is being used)

    while your server is being "attacked" and see which server is the origin of the connection

    get-nettcpconnection -localport 5985

    could work if you catch it at the right time

    Wednesday, April 29, 2020 9:47 AM