r/PowerShell

Help me figure out what this .ps1 file I found as a scheduled task does?

u/dudeedud4Aug 28, 2016, 3:12 PM

Like the title says, I found a weird powershell file as a scheduled task. I don't really know powershell scripting so I'm not certain as to how to go about decrypting it..

Here's the file on pastebin. http://pastebin.com/R7gnpK4i

u/leeroylee
Aug 28, 2016, 4:17 PM

That's been encrypted so that you can only decrypt it on that machine. It looks very suspicious. If you change the last line from "Invoke-Expression $script" to just $script, then it'll echo what's been encrypted.

u/dudeedud4
Aug 28, 2016, 4:46 PM

Yea, I thought it was hella suspicious. I'll do that and post what is shown. Barring any major things. Anyway to pipe it out to a file?

u/leeroylee
Aug 28, 2016, 4:52 PM
u/leeroylee
Aug 28, 2016, 4:54 PM

This is the feature that's potentially being abused: http://powershellcookbook.com/recipe/PukO/securely-store-credentials-on-disk

u/dudeedud4
Aug 28, 2016, 4:57 PM

Interesting.. Here's what I get, might be because I moved the file to the desktop instead of C:\windows where it was.

http://pastebin.com/8vCLD7GG

u/OathOfFeanor
Aug 29, 2016, 9:38 AM

Since we are in /r/PowerShell I cannot help myself. Same result, but this way is more PowerShelley

$script | Out-File -FilePath 'C:\temp\test.txt'
u/DarthKane1978
Aug 29, 2016, 3:03 AM

Upload file or md5 to virus total. I doubt its a new exploit.

u/dudeedud4
Aug 29, 2016, 3:26 PM

Success! I have decrypted it!

http://pastebin.com/CwAZiYeS

/u/leeroylee /u/Yoss0

View more comments