question

DouglasGray-4067 avatar image
0 Votes"
DouglasGray-4067 asked DouglasGray-4067 answered

.ps1 files auto-executing from C:\Windows\system32\config\systemprofile\AppData\Local\

Good afternoon,

I'm using sysmon and I've detected random .ps1 files running across my enterprise at different time intervals. I attempted to locate these .ps1 files on my local Windows 10 system and they have disappeared or been deleted. Is this some normal check that windows automatically runs or potentially something malicious. Below is a snippet of the command that is executed.


powershell -ExecutionPolicy ByPass -FILE \"C:\WINDOWS\system32\config\systemprofile\AppData\Local\cccbdc7c6d344222978a1a4d9a67e2ee.ps1\

I'm just trying to figure out if this is normal behavior as we're seeing across all workstations.

Any help would be greatly appreciated.

Doug

OS Versions: Windows 10

windows-server-powershellmem-intune-generalmem-intune-application-management
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

6 Answers

RichMatheisen-8856 avatar image
0 Votes"
RichMatheisen-8856 answered

If you can't identify it, consider it to be malicious.

There's no "systemprofile" directory in C:\WINDOWS\system32\config that belongs there. I also doubt there'd be an "AppData" directory; that's the kind of directory you'd find in a user's profile. The "config" directory isn't accessible to normal users, either (unless you've changed the ACL).

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DouglasGray-4067 avatar image
0 Votes"
DouglasGray-4067 answered RichMatheisen-8856 commented

These are the files located in the folder. I'm wondering if they're possibly related to intune?

197059-image.png



image.png (114.1 KiB)
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RichMatheisen-8856 avatar image RichMatheisen-8856 ·

I don't usually deal with the O/S stuff, so I was a bit hasty in saying that there's no 'systemprofile' subdirectory in c:\windows\system32\config. A bit more searching, and it looks like this is the directory used by the SYSTEM account when it's used as the account to execute things.

I see there are subdirectories in the AppData directory that look like you're using MDM (mobile device management), Direct3D, and BranchCash (dd637832(v=ws.10)). It may be that those are what're running those scripts. But it's not a PowerShell problem, so you might want to add additional tags to your original post (or create a new one) that asks about the specific software you're running on your machines.


0 Votes 0 ·
DouglasGray-4067 avatar image
0 Votes"
DouglasGray-4067 answered MotoX80 commented

Thank you for your input. I added some intune tags to the original question. Hopefully that helps further the conversation. Based on what I see in the 'systemprofile' directory, I'm willing to bet it is related to intune, but need confirmation.

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MotoX80 avatar image MotoX80 ·

I haven't used sysmon, but if you can capture this activity in Proces Monitor, double click on an event and in the Process tab it will show the Parent PID that launched Poweshell.exe. See what .exe that is.

0 Votes 0 ·
LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hi there,

In general, there shouldn't be any PS script running in the background unless your work environment requires some constant data collection and if you cannot find the original source of the script then it must be something to be taken seriously.

In addition to sysmon I would also suggest you use Process Explorer which shows you information about which handles and DLLs processes have opened or loaded. You can get the tool from here https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

Locate the PowerShell process in the list and double-click it to see its properties. This will give details such as its command line, parent process, environment, and more. If you set the Lower Pane view to "Handles", you can also see used resources such as opened files


--If the reply is helpful, please Upvote and Accept it as an answer–

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered

@DouglasGray-4067, Based on my research, Appdata is used for per user configuration and data stores, to achieve a degree of user isolation. The system profile is not a template, it is the profile directory for the system user account.

For the script, I didn't find it on my Intune enrolled device. As the directory will store system account configuration or data. And the script is with a random id. It is hard to say if it is Intune related. Was the script still there? Can we catch the script? if yes, we can look into the script to know more details.

Hope it can help.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DouglasGray-4067 avatar image
0 Votes"
DouglasGray-4067 answered

Thanks everyone for helping me research the issue. It appears that the issue is being caused by our third party IT team. Below is the information the sent us.

The process is kicked off by RMM. It is used to gather windows updates health/status directly from windows 10 machines. The RMM runs the powershell cmdlets through the agent in the SYSTEM context which places these files in that location temporarily.

Again, thank you for all your assistance! It is not an automated windows process.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.