dandodds

My research led to the original post here: https://forum.eset.com/topic/13651-powershell-script-possible-malicious-attack/ We are experiencing the same thing almost to the T. This only just started Monday and we haven't made any changes to logging so we are pretty confident it's malicious. It has affected a bunch of our servers. Some of our older servers weren't patched for the EternalBlue until yesterday. So our fault on that end. We are running the WMILister_30.vbs because it does remove the WMI entries in those posts I have linked. Except they don't stay removed. My thoughts are maybe there is now something else the vbs script needs to look for and remove. Just a thought.

An entry does show up. We keep removing it with the script and it doesn't appear to be permanent. All of the infectious entries in WMI come back. Maybe that WMILister_30.vbs needs another update? I'm hoping an ESET engineer sees this post.

We need some help removing the same powershell infection that that has been reported last year where the CPU runs at 100%. We have followed the instructions provided by JamesR with no success. Article here: https://forum.eset.com/topic/14821-malicious-powershell-script-wmi-for-persistance/ The WMILister_30.vbs does find and remove some entries but they keep coming back. Powershell 99%. Attached are the ESET Log Collector logs from the log collector as well as the logs from the WMILister_30.vbs Please assist! ELC_logs.zip WMILister_30 logs.zip