Jump to content

Malicious Powershell Script, WMI for Persistance

Recommended Posts

I seem to be having the same issue as Marco2526 in this topic from last year:



I have a server that has a mysterious power-shell processes that reopens on a continuous basis. It seems to be generating malicious files that ESET file Security is thankfully cleaning. The powershell script generates files infected with Coinminer.cz, and other trojans.


I believe the script is using WMI for persistence, as described by James R in the previous topic. 


I've run the WMILister_20.vbs script JamesR suggested in the previous topic. The results of the script are attached to this post. However, when I run the recommended powershell commands, they seem to have no effect in removing the issue.


Do I need to modify the powershell scripts for this specific variant of WMI persistence?


Please advise.





Link to comment
Share on other sites

  • Administrators

I would always start with providing logs collected by ELC. Please collect them and provide us with the generated archive.

Link to comment
Share on other sites

  • ESET Staff


Please download and generate an ELC log from here: https://www.eset.com/int/support/log-collector/

Also, please try this newer version of the WMILister v3.0 on the server.  Please supply any logs generated by this tool to me or Marcos so we can ensure we improve in product detection/cleaning.  If any odd scripts are found, you will be prompted if you want to remove them.  It is best to review the log which will be saved inside of a Log folder in the same folder the utility was run from.


Run this command as admin:

cscript //nologo WMILister_30.vbs

If scripts are found, you will be prompted to remove them.  The prompt will remove all scripts it finds if you tell it to.  Here is an example output for no scripts found:



Advanced use:

This version 3.0 has command line switches.  Use this command to see possible switches:

cscript //nologo WMILister_30.vbs /?

These are the possible commands to scan and clean remote machines (Port 135 inbound and port 445 outbound both need to be open on remote machine.  Same open ports are seemingly used for malware to spread, so infected computers likely already have these ports open).

Examples of switch usage are:

Machine Name:
cscript //nologo WMILister_30.vbs /s:MachineName

IP Address:
cscript //nologo WMILister_30.vbs /s:

Force Cleaning with no prompt (use at own risk as this risks removal of non malicious WMI Scripts):
cscript //nologo WMILister_30.vbs /f
cscript //nologo WMILister_30.vbs /s:MachineName /f
cscript //nologo WMILister_30.vbs /s: /f



Edited by JamesR
added example usage of switches
Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...