Root Admin AdvancedSetup Posted September 1, 2021 Root Admin ID:1477956 Share Posted September 1, 2021 Please run GPedit.msc and browse to the following tree level Local Computer Policy -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy Double-click and open the Audit object access entry and enable Success and Failure Then open My Computer or run Windows File Explorer and browse to the following location. C:\Windows\System32\WindowsPowerShell\v1.0 In that folder please find the file: powershell.exe Right-Click on powershell.exe and select Properties and go to the Security tab and click the Advanced button Then click on the Auditing tab, then the Continue button After you click the Continue button the controls will unlock to allow editing Currently the owner should be TrustedInstaller Highlight the Everyone entry and click the Edit button Make sure the Principal is set to Everyone and the Type is All - then click OK a couple of times to close out the boxes Then restart your computer and once you do see the PowerShell kick off again let me know and we'll track it down in the Event Viewer. Write down the exact time you saw it run in case we need to isolate the time in the Event Logs Cheers Link to post Share on other sites More sharing options...
Matfra Posted September 2, 2021 Author ID:1478211 Share Posted September 2, 2021 Perfect, I've done exactly as you said, now we just have to wait. Ill make sure to check the time as precisely as possible. Thank you, Mattia Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 2, 2021 Root Admin ID:1478216 Share Posted September 2, 2021 Thank you @Matfra Keep me posted Link to post Share on other sites More sharing options...
Matfra Posted September 5, 2021 Author ID:1478459 Share Posted September 5, 2021 Hello, today powershell ran again, it was blocked at 11:31 AM and I saw the warning of windows defender at 11:31:17, so I think it was between the 17 seconds. Let me know our next move. Thank you, Mattia Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 5, 2021 Root Admin ID:1478478 Share Posted September 5, 2021 It's a 3 day Holiday here in the US and I'm spending much of it with the family. Will try to get with you later in the evening if possible. If not then for sure on Tuesday @Matfra Link to post Share on other sites More sharing options...
Matfra Posted September 5, 2021 Author ID:1478484 Share Posted September 5, 2021 Hello, do not worry! Please spend your time with your family and don't worry about me, seen as it's not an urgent matter (as it's not a virus) we can absolutely talk about it on tuesday, for now just enjoy the holiday! Thank you, Mattia Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 8, 2021 Root Admin ID:1483125 Share Posted October 8, 2021 Hello @Matfra Following up again before we close out to see if you wanted further assistance. Let me know Cheers Link to post Share on other sites More sharing options...
Matfra Posted October 9, 2021 Author ID:1483345 Share Posted October 9, 2021 Hello, yes, sorry for making you wait, I got caught up in school. So, powershell is still running, but with the steps you made me do we could, theoretically, track which program is making it run, right? Let me know how to do it and I'll let you know what I find when it runs tomorrow. Thank you, Mattia Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 10, 2021 Root Admin ID:1483401 Share Posted October 10, 2021 No, we're not making it work but we put some pieces in place to try and track it down via auditing. It's the weekend so I'll follow up with you on Monday and see where we're at. Thanks @Matfra Link to post Share on other sites More sharing options...
Matfra Posted October 10, 2021 Author ID:1483411 Share Posted October 10, 2021 Hello, very well then, see you on Monday! Thank you, Mattia Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 20, 2021 Root Admin ID:1484723 Share Posted October 20, 2021 Hello @Matfra Sorry we keep missing each other. Let me know again when you're ready or if you still want to check on this. Cheers Link to post Share on other sites More sharing options...
Matfra Posted October 21, 2021 Author ID:1484845 Share Posted October 21, 2021 Hello, when you want I'm ready to do this, only if I remember correctly we should need a fresh "block" of powershell to proceed, is that correct? Thank you, Mattia Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 21, 2021 Root Admin ID:1484846 Share Posted October 21, 2021 No, we just have to finish up the auditing settings I believe. I'm currently in a meeting. I'll read up some and get with you again within the next 30 minutes. @Matfra Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 21, 2021 Root Admin ID:1484847 Share Posted October 21, 2021 Actually I believe we have already set up the Auditing based on the Sept 1 posting above. Now all we should need to do is look for the entry in the Event Logs - Just a moment and let me verify something. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 21, 2021 Root Admin ID:1484857 Share Posted October 21, 2021 I've sent you a follow up Private Message @Matfra Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 24, 2021 Root Admin ID:1494478 Share Posted December 24, 2021 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following to help you better protect your computer and privacy Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts