3

I'm on a laptop running Window 8.1 connected to the internet running Kaspersky. I am the sole user and administrator of this laptop. While going about my usual work, I paused for a moment (hands off both keyboard and mouse) during which time a powershell windowed opened all by itself and started flashing. With each flash, the window switched between Administrator and normal mode until after about three seconds and stayed steady in Administrator mode. It paused for about another half second and then ran something so fast I couldn't see what it was and then a second powershell window opened up in front of it and ran something else but this time all the output was in red text. I've tried to google around and find out what might have caused this but I haven't been able to find anything of value so I'm hoping that somebody in this community might have some awareness of what this is, whether or not I should be concerned and what I should do about it.

In short: Powershell opened by itself on windows 8.1, changed itself to Administrator mode and ran two scripts all without me touching anything. Should I be worried or terrified?

Maxwell's Demon
  • 133
  • 7
  • 1
    Was this a computer someone else administers for you or a personally owned system? – atk Dec 19 '14 at 01:50
  • Question updated: I am the sole user and administrator of this laptop. – Maxwell's Demon Dec 19 '14 at 01:54
  • 1
    If you know what time it was, it may be helpful to look through your PCs event logs – cutrightjm Dec 19 '14 at 01:59
  • @ekaj I did not look at the time, unfortunately. I'm in the event log now but there are 64 events with timestamps that look like they could match. Any further clues on how I might track this down (e.g., self-starting shell scripts having a tell-tale piece of metadata attached to them? I'm afraid I don't know a lot about these things. – Maxwell's Demon Dec 19 '14 at 02:07
  • It could be a scheduled task for updates; I have a similar issue where every day at midnight a command prompt opens and runs some MySQL updates. –  Dec 20 '14 at 18:31
  • I referenced it in the beginning of my answer/reply to your post here, but sorry for being super late (1 year later) to the party. I simply came across this post while researching something similar at work and thought my advice could be both helpful and beneficial to you and most importantly to other users who stumble upon this in the future so I posted an answer. – Brad Bouchard Jan 04 '16 at 22:21
  • It's worth noting that the event log *can* be configured to capture a lot of useful information for troubleshooting these cases, but by default it usually doesn't. – Iszi Jan 04 '16 at 22:29

2 Answers2

6

While I'd recommend following ekaj's suggestion and trawling your logs to be sure, it sounds very suspicious to me.

If you have allowed automated updates, it is possible that this was part of an update script...but usually updates present quite formalised user information.

Safest bet is to assume the worst - and wipe it and rebuild. A Powershell running as admin could have done anything.

We have a range of questions here on what to do once a machine has been compromised...the canonical answer is, however, to do a complete wipe, and either rebuild from a known clean backup or from installation media.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
1

I know I'm super late to this party, but this question came up for me while I was searching Sec.SE in relation to another situation that I'm dealing with at work. I also think I could provide something useful that hadn't been touched upon yet. Although I'd agree with Rory Alsop, I'd also like to add something that both backs his answer up and gives you another piece of advice beyond wiping your computer; which I fully recommend that you do (hopefully by now you've already DONE this). Lastly, this is for anyone else who comes upon this question and can get perhaps a comprehensive view between both of our answers.

On to my answer... (and this only adds to the original accepted answer; always check logs first and do some research)

For me, I'd be equally as worried that whatever was running was able to elevate itself to Admin in PowerShell. This could (it isn't definite) indicate that whatever was running grabbed your credentials either from the cached credentials that Windows stores on the local disk, or from some keylogger that may have remained hidden, and then used them to elevate itself and run a myriad of things. There are a number of ways your admin password (and other passwords) could have become compromised if indeed that did happen. That leads me down the path of being paranoid and assuming the worst as has already been stated, which means that your passwords were stolen (let's say WERE STOLEN for the context of this answer) and now you have that as a problem. Here are two things to do, in addition to wiping your computer and starting over from scratch.

  1. Change your password(s) used on this computer no matter what they were for. You never know what was compromised if a keylogger or malicious piece of software sat on your system without you knowing it.
  2. Create a regular user account that you use for everyday use and an administrative user account that you only use when something needs to run with permission from an elevated account; turn UAC (User Account Control) on to bolster this tactic and run things as administrator when needed. That way if your regular account gets compromised, the admin account won't automatically be compromised and would-be hackers would have a harder time trying to perform a successful attack.
  3. Use a VM: Create a virtual machine that you do sensitive, admin privileged-type of work on. Still use tactic #2 above when using this VM and log in with a regular user and only use admin credentials as needed by using "Run as administrator". If the VM is compromised, simply delete it and create a new one from scratch. While VM escape (the act of escaping the VM back into the host machine) isn't impossible, it's much more difficult than most people realize. Utilize the various snapshot tools integrated into most hypervisors of today to really make this tactic efficient, then you won't have to wipe your main machine each time something like this happens.
Brad Bouchard
  • 628
  • 1
  • 5
  • 13
  • Not sure why you're assuming the password was needed. Most people have the UAC prompt (if any) configured to ask for consent only - no credential entry required. So, I'd say it's actually quite unlikely that the password was compromised for elevation. That said, there is still always the possibility that the PowerShell script (or whatever initiated it) did include a keylogger. So, recommending a password change is definitely good advice even if a password compromise was actually not needed for the supposed exploit to work. – Iszi Jan 04 '16 at 22:10
  • @Iszi nowhere in my answer did I intimate that a password is needed; not sure why you're assuming that I'm assuming. My answer was posted so that he, and other users who come across this post, would think of other items that were compromised outside of just something malicious running on the computer. Also, most people don't use UAC at all which is why I recommended it for him. Having the prompt is better than not using it at all, and having the prompt ask for creds is the best. – Brad Bouchard Jan 04 '16 at 22:15
  • @Iszi I'll assume since you said my recommendation of a password change was a good idea that you also up voted me as well? – Brad Bouchard Jan 04 '16 at 22:22
  • Right off the bat (once you finally get to the actual "answer" part of your post), you say the user should be worried about how the program self-elevated and immediately following that you suggest that it was through stolen credentials. This is perhaps the least-likely scenario of any, and the focus of the recommendation for password change would more appropriately be due to "bad guy got code to run on your computer - could have done anything" instead of "weird program running as admin proves your password was already stolen". – Iszi Jan 04 '16 at 22:26
  • My exact words... "This could (it isn't definite) indicate..." Then I go on to say,"...(let's say WERE STOLEN for the context of this answer) " In response to your "bad guy" portion of your comment, that's exactly what I suggested when I talked about keyloggers. Please read more carefully next time, and leave these types of nonconstructive, non-helpful comments to yourself. My answer compliments Rory's and I believe makes for a holistic approach when it comes to dealing with computers that we consider compromised. I also gave good recommendations for the OPs future computer dealings. – Brad Bouchard Jan 04 '16 at 22:36