Jump to content

PowerShell/TrojanDownloader.Agent.DV trojan horse


Go to solution Solved by JamesR,

Recommended Posts

Posted

Good morning everyone, I need to clean up a compromised Exchange Server. The antivirus detects and cleans the virus but I need help locating the registry key to delete to prevent the virus from reappearing on reboot.

Screenshot 2023-03-08 093923.png

  • Administrators
Posted

Please provide logs collected with ESET Log Collector and "Threat detection" selected as a template in the ELC menu.

  • ESET Staff
Posted

From looking at the logs provided, you only had detections by an On Demand Scan which successfully cleaned 54 WMI persistent threats.  There are no other threats detected by any other part of ESET.  From what I can see in the provided logs, your server appears clean.

Also of note, ESET Log Collector shows it gathered registry information, but the registry folder is not contained in the provided zip file.  This prevents us from performing any checking of the registry.  By chance, did you delete this from the zip file prior to sharing here?

Can you please elaborate on the symptoms you are seeing after a reboot?

Posted

Hi,

I've done a reboot and a AV scan. 54 viruses were re-detected.

i've redone the log collection in "Threat detection" and I'm reposting. I hope it is correct. thanks to the availability.

efsw_logs.zip

  • Administrators
Posted

Is the threat being repeatedly detected if you run several WMI scans in a row? Even if the machine is disconnected from the network and Internet and a reboot?

Posted

Previous detections all showed malware running from scheduled task via registry creation:

https://forum.eset.com/topic/28965-powershelltrojandownloaderagentdv-trojan/?do=findComment&comment=135875

https://forum.eset.com/topic/31418-powershelltrojandownloaderagentdv-trojan/?do=findComment&comment=147002

This variant might be deleting its registry keys after it runs to avoid forensic analysis detection; not an unheard of tactic.

Possible sources for its registry keys recreation are a boot/rootkit running at system startup time.

 

  • ESET Staff
Posted

@Mauro Tre I have 2 more logs I would like to gather from your computer.  This will require you to manually run the 2 powershell commands.

 

  1. First open PowerShell as Admin
  2. Next run the following 2 commands
Get-WmiObject -ComputerName "." -Query "SELECT * FROM Win32_NTLogEvent WHERE Logfile='Windows PowerShell' AND (RecordNumber=4363 OR RecordNumber=4362 OR RecordNumber=4361 OR RecordNumber=4360 OR RecordNumber=4359 OR RecordNumber=4358 OR RecordNumber=4357 OR RecordNumber=4356 OR RecordNumber=4355 OR RecordNumber=4354 OR RecordNumber=4353 OR RecordNumber=4352 OR RecordNumber=4351 OR RecordNumber=4350 OR RecordNumber=4349 OR RecordNumber=4348 OR RecordNumber=4347 OR RecordNumber=4346 OR RecordNumber=4345 OR RecordNumber=4344 OR RecordNumber=4343 OR RecordNumber=4342 OR RecordNumber=4321 OR RecordNumber=4320 OR RecordNumber=4319 OR RecordNumber=4318 OR RecordNumber=4317 OR RecordNumber=4316 OR RecordNumber=4315 OR RecordNumber=4314 OR RecordNumber=4313 OR RecordNumber=4312 OR RecordNumber=4311 OR RecordNumber=4310 OR RecordNumber=4309 OR RecordNumber=4308 OR RecordNumber=4307 OR RecordNumber=4306)" | ConvertTo-Csv -NoTypeInformation | Set-Content -Path "$($env:USERPROFILE)\Desktop\ForESET_PwshWmiQEventLog.csv"
Copy-Item -Path "$($env:SystemRoot)\System32\Winevt\Logs\Windows PowerShell.evtx" -Destination "$($env:USERPROFILE)\Desktop\ForESET_Windows_PowerShell.evtx"

 

This will save 2 files to your desktop

  • ForESET_PwshWmiQEventLog.csv
  • ForESET_Windows_PowerShell.evtx

Please run the commands, then zip up the 2 logs on the desktop and provide them here.

 

My theory is that there is no active infection or backdoor.  And that sometime in the past, you had malicious PowerShell commands executed on your system, and these were logged to a Windows Event log.  Gathering the above logs will help me to verify this and to form a plan to stop ESET from detecting these old event logs.

Posted
On 3/9/2023 at 6:33 PM, JamesR said:

@Mauro Tre I have 2 more logs I would like to gather from your computer.  This will require you to manually run the 2 powershell commands.

 

  1. First open PowerShell as Admin
  2. Next run the following 2 commands
Get-WmiObject -ComputerName "." -Query "SELECT * FROM Win32_NTLogEvent WHERE Logfile='Windows PowerShell' AND (RecordNumber=4363 OR RecordNumber=4362 OR RecordNumber=4361 OR RecordNumber=4360 OR RecordNumber=4359 OR RecordNumber=4358 OR RecordNumber=4357 OR RecordNumber=4356 OR RecordNumber=4355 OR RecordNumber=4354 OR RecordNumber=4353 OR RecordNumber=4352 OR RecordNumber=4351 OR RecordNumber=4350 OR RecordNumber=4349 OR RecordNumber=4348 OR RecordNumber=4347 OR RecordNumber=4346 OR RecordNumber=4345 OR RecordNumber=4344 OR RecordNumber=4343 OR RecordNumber=4342 OR RecordNumber=4321 OR RecordNumber=4320 OR RecordNumber=4319 OR RecordNumber=4318 OR RecordNumber=4317 OR RecordNumber=4316 OR RecordNumber=4315 OR RecordNumber=4314 OR RecordNumber=4313 OR RecordNumber=4312 OR RecordNumber=4311 OR RecordNumber=4310 OR RecordNumber=4309 OR RecordNumber=4308 OR RecordNumber=4307 OR RecordNumber=4306)" | ConvertTo-Csv -NoTypeInformation | Set-Content -Path "$($env:USERPROFILE)\Desktop\ForESET_PwshWmiQEventLog.csv"
Copy-Item -Path "$($env:SystemRoot)\System32\Winevt\Logs\Windows PowerShell.evtx" -Destination "$($env:USERPROFILE)\Desktop\ForESET_Windows_PowerShell.evtx"

 

This will save 2 files to your desktop

  • ForESET_PwshWmiQEventLog.csv
  • ForESET_Windows_PowerShell.evtx

Please run the commands, then zip up the 2 logs on the desktop and provide them here.

 

My theory is that there is no active infection or backdoor.  And that sometime in the past, you had malicious PowerShell commands executed on your system, and these were logged to a Windows Event log.  Gathering the above logs will help me to verify this and to form a plan to stop ESET from detecting these old event logs.

Hi,

here the files. Thanks in advance

 

Logs.zip

  • ESET Staff
  • Solution
Posted (edited)

@Mauro Tre

Thank you for gathering these final logs.  This helped me to confirm my suspicions.  There is no sign of any malicious scripts or executables being executed on your system.  The on demand scans you are running, are scanning the WMI database and the specific location in the WMI causing detections is the "Windows PowerShell" event log.  There are no infections living inside of the WMI database, its just a coincidence that one can access event logs via WMI, which means that ESET can access and scan the event logs via WMI.

I am not finding any way to delete specific entries inside of an event log.  It looks like Microsoft only allows for all entries to be cleared from an event log.  What this means is that in order to stop the On Demand scan from triggering detections, you need to clear the "Windows PowerShell" event logs.

Before clearing out the "Windows PowerShell" Event Viewer logs, definitely back them up first.  Technically, you already backed them up with the second command I provided previously.  Here are the steps to first backup, then clear the "Windows PowerShell" event logs

  1. Backup "Windows PowerShell" logs:
    1. Copy-Item -Path "$($env:SystemRoot)\System32\Winevt\Logs\Windows PowerShell.evtx" -Destination "$($env:USERPROFILE)\Desktop\ForESET_Windows_PowerShell.evtx"

       

  2. Clear "Windows PowerShell" logs:
    1. Clear-EventLog "Windows PowerShell"

       

After this, you should no longer receive detections when running a scan with ESET.

 

Summary of findings from all the logs we gathered:

  • "Windows PowerShell" event viewer logs show logging of multiple PowerShell commands being executed as far back as 2021
  • ESET installed sometime in 2022 and immediately cleaned up multiple WebShells related to CVE-2021-26855
  • The above shows that it it is very likely that CVE-2021-26855 was used to remotely plant and execute the WebShells which were executing PowerShell commands that were then logged in the "Windows PowerShell" event logs


-Edited- to add one picture showing the link between the ESET scan logs and the Event Viewer log containing the malicious PowerShell command.

image.png

Edited by JamesR
Adding one screenshot
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...