rogerthat69
Posts: 57 +0
I have learned that hackers use Powershell to manage remote computers by installing malware-code etc. Prior to Win 10 it was possible to uninstall PowerShell as a Windows component. That is not an option with Win 10. Anyone knows why? Does Microsoft use Powershell(ISE) for I.e OS-maintenance?
My EventLog shows that someone is running PowerShell scripts(block) executing remote commands. Message in Eventlog is "Varning" ID 4104. The process starts with Console Startup(ID40962) then an IPC listening thread on process 4292 in DeafaultAppDomain. All scripts are readable code.
"Providers" was started last time by PowerShell Host; Filesystem, Variable, Alias, Function, Registry, Environment.
It seems(?) Windows Remote Manager are involved making Client API-calls (ID 145). An operation(enumeration) starts by using resource: http://schemas.microsoft.com/wbem/wsman/1/config/listener.
I don´t feel comfortable with these processes going on. If MS were involved using PowerShell scripts they should be explicit about it.
My EventLog shows that someone is running PowerShell scripts(block) executing remote commands. Message in Eventlog is "Varning" ID 4104. The process starts with Console Startup(ID40962) then an IPC listening thread on process 4292 in DeafaultAppDomain. All scripts are readable code.
"Providers" was started last time by PowerShell Host; Filesystem, Variable, Alias, Function, Registry, Environment.
It seems(?) Windows Remote Manager are involved making Client API-calls (ID 145). An operation(enumeration) starts by using resource: http://schemas.microsoft.com/wbem/wsman/1/config/listener.
I don´t feel comfortable with these processes going on. If MS were involved using PowerShell scripts they should be explicit about it.