Powershell keeps being blocked witjh the following command lines:
powershell -ep bypass -c &{$y= gc eCednSi.log; $y | iex})
Avery method to get rid of it or to find the cause did fail, what should I do?
Thank you very much
Hello @Urbaman and welcome to the Community!
Advanced Threat Defense continuously monitors the applications and processes running on your computer. It monitors suspicious activities such as copying files to important Windows operating system folders, executing or injecting code into other processes, multiplying them, changing Windows registry or installing drivers.
It uses an innovative way of detecting ransomware and zero-day threats in real-time using advanced heuristic methods. This method is different from traditional malware detection, which involves identifying malware using the virus signature database.
Bitdefender is monitoring a list of processes that are known to be used in performing fileless attacks. This list includes processes such as autoit.exe, bitsadmin.exe, cscript.exe, java.exe, javaw.exe, miprvse.exe, net.exe, netsh.exe, powershell.exe, powershell_ise.exe, py.exe, python.exe, regedit.exe, regsvr32.exe, rundll32.exe, schtasks.exe, and wscript.exe.
When a new process starts on the machine protected by Bitdefender technologies, the command-line is extracted and sent as a buffer to the scanning engines, augmenting the scanning context with information regarding the original process path and the parent process. The buffers identified as commands (cmd’s), found in other file types, like LNK, JOB, BAT and PS1 are also scanned.
There have been numerous attacks that shared the Powershell component, hence the need to be on guard against any possible attacks exploiting it. User generated scripts may end up being detected as false positives in this context.
For this scenario, you may submit the false positive detection to our malware labs using the form at the link below:
https://www.bitdefender.com/consumer/support/answer/29358/
Fileless malware infections appeared in August 2014, when the Poweliks Trojan made its debut. It was initially engineered to perform click-fraud, but it evolved into a registry-based threat. This specimen found its way into the system by exploiting a Microsoft Word vulnerability. It used PowerShell and JavaScript along with shellcode to jumpstart its in-memory execution.
Another fileless malware specimen that gained attention in 2015 was Kovter. In that incarnation, the Kovter’s infection technique closely resembled that of Poweliks. Even when starting the infection with a malicious Windows executable, the specimen removed that file after storing obfuscated or encrypted artifacts in the registry. At least one of its variations maintained persistence by using a shortcut file that executed JavaScript. This ****** launched PowerShell and executed shellcode to launch a non-malicious application after injecting malicious code into it.
In mid-2016, the PowerSniff infection began with a Microsoft Word document with a malicious macro. The in-memory mechanics of this specimen resembled some aspects of Kovter and involved a PowerShell ****** that executed shellcode, which decoded and executed additional malicious payload, operating solely in memory. PowerSniff had the ability to temporarily save a malicious DLL to the file system.
In early 2017, another sophisticated attack, named POSHSPY, used the Windows Management Instrumentation (WMI) capabilities of the OS to maintain persistence and relied on PowerShell for its payload. The specimen had the ability to download executable files, which it would save to the file system.
Best regards.
