Mark Minasi's Tech Forum
Register Calendar Latest Topics Chat
 
 
 


Reply
  Author   Comment  
timwiser

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 19
Reply with quote  #1 
We use FSRM to block Cryptolocker infections and other ransomware.  Well, it goes a long way to stopping them but nothing's perfect hey?  Anyway, when a block occurs, I get an email.  On a regular basis I get emails looking like this:

Cryptolocker alert! The system detected that user MYDOMAIN\MYUSERNAME attempted to save C:\Users\MYUSERNAME\AppData\Local\Temp\uanobked.zz2.ps1 on server TERMINALSERVER. Source process was C:\Windows\System32\wsmprovhost.exe, PID 17556

Obviously the MYDOMAIN and MYUSERNAME will be different.  The filename always differs and is occasionally a .psm1 file instead of .ps1 but the source process is always wsmprovhost.exe.

This looks suspicious - What do you guys think?



0
donoli

Senior Member
Registered:
Posts: 497
Reply with quote  #2 
I googled 'wsmprovhost.exe attacks' & most of the results talked about powershell.  It seems that powershell is a good vehicle, for such attacks.  There is a list as to why that's true in the site below.

https://dfir-blog.com/2015/09/27/dissecting-powershell-attacks/
0
jsclmedave

Administrator
Registered:
Posts: 435
Reply with quote  #3 
Posting from the Twitter Reply -



 18m18 minutes ago


   Yes, that's PowerShell testing the language mode in a PowerShell Remoting connection.

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation: