OK, I think I have a plan of attack that should get you cleaned up. I have 4 Powershell commands which have some slightly different, yet very important differences from the original commands you ran. The best method to clean your network is to use the last script I provided on any computers you suspect are infected. If its log has more than just the note lines of the following, then run the commands listed further below:
---WMILister Version:2.3--- ---Possible embeded EXEs--- <Might see this listed a lot, but if not info is below it, then its just a bug I need to fix. If log is empty, no bad scripts were found.
Assuming all machines are patched for EternalBlue, here are the steps that should get you back to a clean state.
1. Disconnect infected computers/servers from network
2. Run Powershell with administrative privileges and execute the following commands. If any error out, screenshot them and post them here with a log from the WMILister as well: Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path LIKE '%SCM Event Logs Consumer%'" | Remove-WMIObject -Verbose
3. Reboot computer ASAP and leave disconnected from network while you repeat the above steps on any other computers or servers which are infected.
4. Leave computers which were infected off the network for at least 2 hours (if possible) after cleaning. Verify if any malicious Powershell processes start up. Reconnect to network, and after about 2 more hours, verify if any malicious Powershell processes return. If malicious processes return after connecting to the network, you still have infected computers which are spreading the infection back to cleaned computers.
The most difficult part of cleaning this type of infection from your network is that a single computer could potentially spread the infection back to computers you cleaned. That's why its so important to disconnect any infected computer from the network and leaving them disconnected while cleaning. Any computers which are getting reinfected, you will want to triple check if they are patched for EternalBlue. If infection keeps coming back, Wireshark logging during the time of reinfection may help us identify which machine is still infected and reinfecting computers and SysInspector logs from those computers will help us identify anything that is not hiding in the WMI.
Hi James,
you are a life saver, I was having the same scenario which i was able to remove the PS scripts with you method. Any more suggestions that we have to look in-to maybe on the firewall to disable these type of malicious code entering to the local network?
PowerShell Script 100% CPU Load - Malicious Attack
in Malware Finding and Cleaning
Posted · Edited by Randika
added Content
Hi James,
you are a life saver, I was having the same scenario which i was able to remove the PS scripts with you method. Any more suggestions that we have to look in-to maybe on the firewall to disable these type of malicious code entering to the local network?
Thnx once again