Jump to content

PowerShell/Agent.dy


Go to solution Solved by Marcos,

Recommended Posts

Procmon generated 7 files for a total of more than 2 GB. I attach the Bootlog.pml file (the first two) and the file generated by Autoruns.
If you also need the other 6 procmon files it has to make more posts.
Thanks
 

Autoruns.zip

Link to post
Share on other sites
  • Administrators

Looks like Procmon logging was stopped too early before a detection was triggered; there was no record of Powershell.exe being run the log.

As for Autoruns, you've provided its binaries, not a log created by the Autoruns application.

Link to post
Share on other sites
  • Administrators

Please provide the content of the C:\Users\gb\AppData\Roaming\EciYLzJxA folder. The folder should contain LfxFKWgd.ps1, hFQTJJ.exe (probably clean, renamed wscript.exe) and LfxFKWgd.txt.

Do not delete the folder/files unless I confirm receipt.

Link to post
Share on other sites

Great "real-world" example of malware renaming Win script executable's to bypass AV HIPS rules and the like.

Time Eset offered PE header name option in the HIPS to prevent a bypass like this.

Link to post
Share on other sites
16 minutes ago, Marcos said:

I don't think it renames the system executable but rather drops or copies it under a different name.

Yes. I suspect this is the case. But in any effect, internal PE header name would remain the same as the source process.

Eset_wscript.png.878cb19d83f93c8b2368a8862ba699b0.png

Link to post
Share on other sites
14 minutes ago, Marcos said:

A changed name of a script interpreter cannot fool our products; we perform deep script scanning regardless of the file name of the interpreter.

Hopefully that is the case. But not the issue. The issue is I want to block/monitor script execution period:

Eset_PE.thumb.png.9e87958484a731094e0c14fbb6f0c518.png

Ref.: https://docs.microsoft.com/en-us/windows/win32/debug/pe-format

Link to post
Share on other sites
  • Administrators
1 hour ago, Nicktopa said:

I have the same problem, same warning PowerShell/Agent.dy message from Eset every 3 minutes.

Would you like the logs as you requested before?

Yes, please provide both Autoruns and logs collected with ESET Log Collector. A Procmon boot log may be needed later as well.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...