Like the title says, I found a weird powershell file as a scheduled task. I don't really know powershell scripting so I'm not certain as to how to go about decrypting it..
That's been encrypted so that you can only decrypt it on that machine. It looks very suspicious. If you change the last line from "Invoke-Expression $script" to just $script, then it'll echo what's been encrypted.
u/dudeedud4
•
Aug 28, 2016, 4:46 PM
Yea, I thought it was hella suspicious. I'll do that and post what is shown. Barring any major things. Anyway to pipe it out to a file?
Help me figure out what this .ps1 file I found as a scheduled task does?
Like the title says, I found a weird powershell file as a scheduled task. I don't really know powershell scripting so I'm not certain as to how to go about decrypting it..
Here's the file on pastebin. http://pastebin.com/R7gnpK4i
That's been encrypted so that you can only decrypt it on that machine. It looks very suspicious. If you change the last line from "Invoke-Expression $script" to just $script, then it'll echo what's been encrypted.
Yea, I thought it was hella suspicious. I'll do that and post what is shown. Barring any major things. Anyway to pipe it out to a file?
Yup - $script > c:\temp\test.txt
http://powershellcookbook.com/recipe/MDMv/store-the-output-of-a-command-into-a-file
This is the feature that's potentially being abused: http://powershellcookbook.com/recipe/PukO/securely-store-credentials-on-disk
Interesting.. Here's what I get, might be because I moved the file to the desktop instead of C:\windows where it was.
http://pastebin.com/8vCLD7GG
Since we are in /r/PowerShell I cannot help myself. Same result, but this way is more PowerShelley
Upload file or md5 to virus total. I doubt its a new exploit.
Success! I have decrypted it!
http://pastebin.com/CwAZiYeS
/u/leeroylee /u/Yoss0