Jump to content

Powershell Script Blocked


Recommended Posts

Hi guys,

Since upgrading to Malwarebytes v3 we are seeing a popup saying that a powershell script is being called and blocked. I can't see where it is being called from to kill the process, any ideas on how to track down this (possible) infection?

It says that it was logged in this JSON file, which I have opened and copy and pasted here:

BF9D0ABCC47F1F768A74D037871D81282A5284035F1CAF1E6DD38687061FFCCD
{
   "applicationVersion" : "3.0.4.1269",
   "clientID" : "",
   "clientType" : "other",
   "componentsUpdatePackageVersion" : "1.0.39",
   "cpu" : "x64",
   "dbSDKUpdatePackageVersion" : "1.0.706",
   "detectionDateTime" : "2016-12-12T22:20:16Z",
   "fileSystem" : "NTFS",
   "id" : "289c33a0-c0b9-11e6-9d2e-00155d091702",
   "isUserAdmin" : true,
   "licenseState" : "trial",
   "linkagePhaseComplete" : false,
   "loggedOnUserName" : "System",
   "machineID" : "",
   "os" : "Windows Server 2012 R2",
   "schemaVersion" : 1,
   "sourceDetails" : {
      "type" : "ae"
   },
   "threats" : [
      {
         "linkedTraces" : [

         ],
         "mainTrace" : {
            "cleanAction" : "block",
            "cleanResult" : "successful",
            "cleanResultErrorCode" : 0,
            "cleanTime" : "2016-12-12T22:20:16Z",
            "exploitData" : {
               "appDisplayName" : "cmd",
               "blockedFileName" : "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe Get-AppxPackage | Where Name -match ICQ | Select-Object -Expand Version",
               "layerText" : "Application Behavior Protection",
               "protectionTechnique" : "Exploit payload process blocked",
               "url" : ""
            },
            "generatedByPostCleanupAction" : false,
            "id" : "289c33a1-c0b9-11e6-a4d6-00155d091702",
            "linkType" : "none",
            "objectMD5" : "",
            "objectPath" : "",
            "objectSha256" : "",
            "objectType" : "exploit"
         },
         "ruleID" : -1,
         "rulesVersion" : "0.0.0",
         "threatID" : 0,
         "threatName" : "Malware.Exploit.Agent.Generic"
      }
   ],
   "threatsDetected" : 1
}

 

Link to post
Share on other sites

  • Staff

Hello AlexLeadingEdge,

 

I want to have you collect me another log that has a bit more information on that block as I want to see what protection layer it is hitting. The log is called mbae-default.txt and it is found under the C:\ProgramData\Malwarebytes\MBAMService. I would replicate the block again before you grab that log so it is at the bottom. Once you do that, get it over to me and I should be able to see what is happening in this instance. 

Link to post
Share on other sites

Just had two more:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 12/13/16
Protection Event Time: 11:20 AM
Logfile: 
Administrator: Yes

-Software Information-
Version: 3.0.4.1269
Components Version: 1.0.39
Update Package Version: 1.0.706
License: Trial

-System Information-
OS: Windows Server 2012 R2
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, , Blocked, [0], [-1],0.0.0

-Exploit Data-
Affected Application: cmd
Protection Layer: Application Behavior Protection
Protection Technique: Exploit payload process blocked
File Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Get-AppxPackage | Where Name -match Line | Select-Object -Expand Version
URL: 



(end)
Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 12/13/16
Protection Event Time: 11:21 AM
Logfile: 
Administrator: Yes

-Software Information-
Version: 3.0.4.1269
Components Version: 1.0.39
Update Package Version: 1.0.706
License: Trial

-System Information-
OS: Windows Server 2012 R2
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, , Blocked, [0], [-1],0.0.0

-Exploit Data-
Affected Application: cmd
Protection Layer: Application Behavior Protection
Protection Technique: Exploit payload process blocked
File Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Get-AppxPackage | Where Name -match PiipCorporation.PiipMessenger | Select-Object -Expand Version
URL: 



(end)

 

Link to post
Share on other sites

5 minutes ago, Rsullinger said:

Hello AlexLeadingEdge,

 

I want to have you collect me another log that has a bit more information on that block as I want to see what protection layer it is hitting. The log is called mbae-default.txt and it is found under the C:\ProgramData\Malwarebytes\MBAMService. I would replicate the block again before you grab that log so it is at the bottom. Once you do that, get it over to me and I should be able to see what is happening in this instance. 

Is this the file you want? It looks encrypted?

mbae-default.zip

Link to post
Share on other sites

  • Staff

Hello Alex,

 

Thank you for that. IT is the log I was looking for and it is encrypted. So it looks like it may be comming from this file:

 

C:\Program Files\Managed Antivirus\Managed Antivirus Master Service\powershell.exe 

Is that something you have on the computer? It seems to be the way it is calling the powershell script may be the reason it is being blocked. If you do know what that script is, do you know what it is attempting to do? 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.