Welcome Forums General PowerShell Q&A Powershell script running in our environment – Is it malicious???

Viewing 3 reply threads
  • Author
    Posts
    • #167803
      Participant
      Topics: 1
      Replies: 0
      Points: 16
      Rank: Member

      Any Powershell experts I can use your help.

      I have this script below that is running on mulitple hosts, and wondering if you can tell me what it means or does?

      thanks:

      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -version 2 -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp “HKLM:\SOFTWARE\Microsoft\Powershell”).ScriptInit)));

       

    • #167875
      Participant
      Topics: 0
      Replies: 28
      Points: 142
      Helping Hand
      Rank: Participant

      What is the value in ScriptInit registry key?
      Looks like, it is invoking a command which is encoded in ScriptInit key.

      Also did google and it is pointing to malicious.

    • #168151
      Participant
      Topics: 2
      Replies: 1008
      Points: 2,053
      Helping Hand
      Rank: Community Hero

      If you did not write and deploy it, and or no one you are aware of did so, or it was not part of some packaged you purchased, then the default security process is to fail close / disconnect it from the network / isolate the device / do not tamper it  of you ruin forensics / not trusted / kill it, period. Send it to your risk management / security team from review, as a simple text file, or bring the to the system that has it.

      If you don’t know what a script is doing, then don’t allow it to run.

      All audit modes should be leveraged.

    • #168181
      Participant
      Topics: 0
      Replies: 45
      Points: 243
      Helping Hand
      Rank: Participant

      @akimbjj7725

      Do your system is managed by any of MSP software  like kaseya or  connectWise ?

Viewing 3 reply threads
  • The topic ‘Powershell script running in our environment – Is it malicious???’ is closed to new replies.