Mauro Tre 0 Posted March 8, 2023 Posted March 8, 2023 Good morning everyone, I need to clean up a compromised Exchange Server. The antivirus detects and cleans the virus but I need help locating the registry key to delete to prevent the virus from reappearing on reboot.
Administrators Marcos 5,441 Posted March 8, 2023 Administrators Posted March 8, 2023 Please provide logs collected with ESET Log Collector and "Threat detection" selected as a template in the ELC menu.
Mauro Tre 0 Posted March 8, 2023 Author Posted March 8, 2023 Hi, in attachment the logs. Thanks efsw_logs.zip
ESET Staff JamesR 58 Posted March 8, 2023 ESET Staff Posted March 8, 2023 From looking at the logs provided, you only had detections by an On Demand Scan which successfully cleaned 54 WMI persistent threats. There are no other threats detected by any other part of ESET. From what I can see in the provided logs, your server appears clean. Also of note, ESET Log Collector shows it gathered registry information, but the registry folder is not contained in the provided zip file. This prevents us from performing any checking of the registry. By chance, did you delete this from the zip file prior to sharing here? Can you please elaborate on the symptoms you are seeing after a reboot?
Mauro Tre 0 Posted March 9, 2023 Author Posted March 9, 2023 Hi, I've done a reboot and a AV scan. 54 viruses were re-detected. i've redone the log collection in "Threat detection" and I'm reposting. I hope it is correct. thanks to the availability. efsw_logs.zip
Administrators Marcos 5,441 Posted March 9, 2023 Administrators Posted March 9, 2023 Is the threat being repeatedly detected if you run several WMI scans in a row? Even if the machine is disconnected from the network and Internet and a reboot?
itman 1,799 Posted March 9, 2023 Posted March 9, 2023 Previous detections all showed malware running from scheduled task via registry creation: https://forum.eset.com/topic/28965-powershelltrojandownloaderagentdv-trojan/?do=findComment&comment=135875 https://forum.eset.com/topic/31418-powershelltrojandownloaderagentdv-trojan/?do=findComment&comment=147002 This variant might be deleting its registry keys after it runs to avoid forensic analysis detection; not an unheard of tactic. Possible sources for its registry keys recreation are a boot/rootkit running at system startup time.
itman 1,799 Posted March 9, 2023 Posted March 9, 2023 Another possibility is a PowerShell backdoor has been installed: https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/ . Also, this puppy deletes all its registry traces.
ESET Staff JamesR 58 Posted March 9, 2023 ESET Staff Posted March 9, 2023 @Mauro Tre I have 2 more logs I would like to gather from your computer. This will require you to manually run the 2 powershell commands. First open PowerShell as Admin Next run the following 2 commands Get-WmiObject -ComputerName "." -Query "SELECT * FROM Win32_NTLogEvent WHERE Logfile='Windows PowerShell' AND (RecordNumber=4363 OR RecordNumber=4362 OR RecordNumber=4361 OR RecordNumber=4360 OR RecordNumber=4359 OR RecordNumber=4358 OR RecordNumber=4357 OR RecordNumber=4356 OR RecordNumber=4355 OR RecordNumber=4354 OR RecordNumber=4353 OR RecordNumber=4352 OR RecordNumber=4351 OR RecordNumber=4350 OR RecordNumber=4349 OR RecordNumber=4348 OR RecordNumber=4347 OR RecordNumber=4346 OR RecordNumber=4345 OR RecordNumber=4344 OR RecordNumber=4343 OR RecordNumber=4342 OR RecordNumber=4321 OR RecordNumber=4320 OR RecordNumber=4319 OR RecordNumber=4318 OR RecordNumber=4317 OR RecordNumber=4316 OR RecordNumber=4315 OR RecordNumber=4314 OR RecordNumber=4313 OR RecordNumber=4312 OR RecordNumber=4311 OR RecordNumber=4310 OR RecordNumber=4309 OR RecordNumber=4308 OR RecordNumber=4307 OR RecordNumber=4306)" | ConvertTo-Csv -NoTypeInformation | Set-Content -Path "$($env:USERPROFILE)\Desktop\ForESET_PwshWmiQEventLog.csv" Copy-Item -Path "$($env:SystemRoot)\System32\Winevt\Logs\Windows PowerShell.evtx" -Destination "$($env:USERPROFILE)\Desktop\ForESET_Windows_PowerShell.evtx" This will save 2 files to your desktop ForESET_PwshWmiQEventLog.csv ForESET_Windows_PowerShell.evtx Please run the commands, then zip up the 2 logs on the desktop and provide them here. My theory is that there is no active infection or backdoor. And that sometime in the past, you had malicious PowerShell commands executed on your system, and these were logged to a Windows Event log. Gathering the above logs will help me to verify this and to form a plan to stop ESET from detecting these old event logs. notimportant 1
Mauro Tre 0 Posted March 13, 2023 Author Posted March 13, 2023 On 3/9/2023 at 6:33 PM, JamesR said: @Mauro Tre I have 2 more logs I would like to gather from your computer. This will require you to manually run the 2 powershell commands. First open PowerShell as Admin Next run the following 2 commands Get-WmiObject -ComputerName "." -Query "SELECT * FROM Win32_NTLogEvent WHERE Logfile='Windows PowerShell' AND (RecordNumber=4363 OR RecordNumber=4362 OR RecordNumber=4361 OR RecordNumber=4360 OR RecordNumber=4359 OR RecordNumber=4358 OR RecordNumber=4357 OR RecordNumber=4356 OR RecordNumber=4355 OR RecordNumber=4354 OR RecordNumber=4353 OR RecordNumber=4352 OR RecordNumber=4351 OR RecordNumber=4350 OR RecordNumber=4349 OR RecordNumber=4348 OR RecordNumber=4347 OR RecordNumber=4346 OR RecordNumber=4345 OR RecordNumber=4344 OR RecordNumber=4343 OR RecordNumber=4342 OR RecordNumber=4321 OR RecordNumber=4320 OR RecordNumber=4319 OR RecordNumber=4318 OR RecordNumber=4317 OR RecordNumber=4316 OR RecordNumber=4315 OR RecordNumber=4314 OR RecordNumber=4313 OR RecordNumber=4312 OR RecordNumber=4311 OR RecordNumber=4310 OR RecordNumber=4309 OR RecordNumber=4308 OR RecordNumber=4307 OR RecordNumber=4306)" | ConvertTo-Csv -NoTypeInformation | Set-Content -Path "$($env:USERPROFILE)\Desktop\ForESET_PwshWmiQEventLog.csv" Copy-Item -Path "$($env:SystemRoot)\System32\Winevt\Logs\Windows PowerShell.evtx" -Destination "$($env:USERPROFILE)\Desktop\ForESET_Windows_PowerShell.evtx" This will save 2 files to your desktop ForESET_PwshWmiQEventLog.csv ForESET_Windows_PowerShell.evtx Please run the commands, then zip up the 2 logs on the desktop and provide them here. My theory is that there is no active infection or backdoor. And that sometime in the past, you had malicious PowerShell commands executed on your system, and these were logged to a Windows Event log. Gathering the above logs will help me to verify this and to form a plan to stop ESET from detecting these old event logs. Hi, here the files. Thanks in advance Logs.zip
ESET Staff Solution JamesR 58 Posted March 13, 2023 ESET Staff Solution Posted March 13, 2023 (edited) @Mauro Tre Thank you for gathering these final logs. This helped me to confirm my suspicions. There is no sign of any malicious scripts or executables being executed on your system. The on demand scans you are running, are scanning the WMI database and the specific location in the WMI causing detections is the "Windows PowerShell" event log. There are no infections living inside of the WMI database, its just a coincidence that one can access event logs via WMI, which means that ESET can access and scan the event logs via WMI. I am not finding any way to delete specific entries inside of an event log. It looks like Microsoft only allows for all entries to be cleared from an event log. What this means is that in order to stop the On Demand scan from triggering detections, you need to clear the "Windows PowerShell" event logs. Before clearing out the "Windows PowerShell" Event Viewer logs, definitely back them up first. Technically, you already backed them up with the second command I provided previously. Here are the steps to first backup, then clear the "Windows PowerShell" event logs Backup "Windows PowerShell" logs: Copy-Item -Path "$($env:SystemRoot)\System32\Winevt\Logs\Windows PowerShell.evtx" -Destination "$($env:USERPROFILE)\Desktop\ForESET_Windows_PowerShell.evtx" Clear "Windows PowerShell" logs: Clear-EventLog "Windows PowerShell" After this, you should no longer receive detections when running a scan with ESET. Summary of findings from all the logs we gathered: "Windows PowerShell" event viewer logs show logging of multiple PowerShell commands being executed as far back as 2021 ESET installed sometime in 2022 and immediately cleaned up multiple WebShells related to CVE-2021-26855 The above shows that it it is very likely that CVE-2021-26855 was used to remotely plant and execute the WebShells which were executing PowerShell commands that were then logged in the "Windows PowerShell" event logs -Edited- to add one picture showing the link between the ESET scan logs and the Event Viewer log containing the malicious PowerShell command. Edited March 13, 2023 by JamesR Adding one screenshot notimportant 1
Recommended Posts