locked
How to check out who run powershell command remotely throng WRMAN RRS feed

  • Question

  • Hi,My server is hacked .some virus run powershell on my server.

    cmd  /c powershell -c Set-MpPreference -DisableRealtimeMonitoring $true;(get-wmiobject -class win32_networkadapterconfiguration -filter ipenabled=true).SetDNSServerSearchOrder(@('8.8.8.8','9.9.9.9'))
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell  -c Set-MpPreference -DisableRealtimeMonitoring $true;(get-wmiobject -class win32_networkadapterconfiguration -filter ipenabled=true).SetDNSServerSearchOrder(@('8.8.8.8','9.9.9.9'

    my antvirus soft stop it.I want to check out which server was hacked to run powershell on my server. all my server are in the same Domain.

    thank you 


    ---

    你好,我的服务器被攻击了,防病毒软件的日志里面发现有异常的powershell命令被执行。我推测是别的服务器感染了病毒,然后通过wrman来远程执行powershell。是否有方法找出这个执行powershell命令的源头?

    • Edited by Chivas_Tan Wednesday, April 29, 2020 1:57 AM
    Wednesday, April 29, 2020 1:48 AM

All replies

  • Please contact your AV vendor for assistance.  This is not an AV forum and there is no way we can help you with this.


    \_(ツ)_/

    Wednesday, April 29, 2020 2:38 AM
  • Thank s for your help.

    Is there any powershell log to view ?

    Do you know how to moniter powershell run?


    ...

    Wednesday, April 29, 2020 4:51 AM
  • Wednesday, April 29, 2020 9:15 AM
  • You could run

    netstat -ano 1 | sls 5985 

    (or 5986 whichever winrm port is being used)

    while your server is being "attacked" and see which server is the origin of the connection

    get-nettcpconnection -localport 5985

    could work if you catch it at the right time

    Wednesday, April 29, 2020 9:47 AM