CAB 0 Posted March 1, 2018 Posted March 1, 2018 I seem to be having the same issue as Marco2526 in this topic from last year: https://forum.eset.com/topic/13651-powershell-script-possible-malicious-attack/ I have a server that has a mysterious power-shell processes that reopens on a continuous basis. It seems to be generating malicious files that ESET file Security is thankfully cleaning. The powershell script generates files infected with Coinminer.cz, and other trojans. I believe the script is using WMI for persistence, as described by James R in the previous topic. I've run the WMILister_20.vbs script JamesR suggested in the previous topic. The results of the script are attached to this post. However, when I run the recommended powershell commands, they seem to have no effect in removing the issue. Do I need to modify the powershell scripts for this specific variant of WMI persistence? Please advise. Thanks, DumpedScrpts.txt
Administrators Marcos 5,441 Posted March 1, 2018 Administrators Posted March 1, 2018 I would always start with providing logs collected by ELC. Please collect them and provide us with the generated archive.
CAB 0 Posted March 1, 2018 Author Posted March 1, 2018 Hi Marcos, Please see attached for requested logs efsw_logs.zip
ESET Staff JamesR 58 Posted March 1, 2018 ESET Staff Posted March 1, 2018 (edited) @CAB Please download and generate an ELC log from here: https://www.eset.com/int/support/log-collector/ Also, please try this newer version of the WMILister v3.0 on the server. Please supply any logs generated by this tool to me or Marcos so we can ensure we improve in product detection/cleaning. If any odd scripts are found, you will be prompted if you want to remove them. It is best to review the log which will be saved inside of a Log folder in the same folder the utility was run from. https://eset.sharefile.com/d-sb6232c1bc5240709 Run this command as admin: cscript //nologo WMILister_30.vbs If scripts are found, you will be prompted to remove them. The prompt will remove all scripts it finds if you tell it to. Here is an example output for no scripts found: Advanced use: This version 3.0 has command line switches. Use this command to see possible switches: cscript //nologo WMILister_30.vbs /? These are the possible commands to scan and clean remote machines (Port 135 inbound and port 445 outbound both need to be open on remote machine. Same open ports are seemingly used for malware to spread, so infected computers likely already have these ports open). Examples of switch usage are: Machine Name: cscript //nologo WMILister_30.vbs /s:MachineName IP Address: cscript //nologo WMILister_30.vbs /s:10.20.30.40 Force Cleaning with no prompt (use at own risk as this risks removal of non malicious WMI Scripts): cscript //nologo WMILister_30.vbs /f cscript //nologo WMILister_30.vbs /s:MachineName /f cscript //nologo WMILister_30.vbs /s:10.20.30.40 /f Edited March 1, 2018 by JamesR added example usage of switches
Recommended Posts