skidkidd
(Skidkidd)
1
So last week we I was working on someones machine and found this powershell script:
start-process powershell -verb runAs
and another script:
del //publicshare
I know that the powershell script won’t run but I’ve gone ahead and taken ownership of the powershell folder, but i’m sure it will come back.
What would you do to deal with this. In my eyes it’s one thing if you’re a scripter and just trying to lighten your work load, but not if you are trying to delete a share folder.
14 Spice ups
Does this person have admin creds? Local admin? I don’t believe these can run without them. Nice try, though.
I’d certainly bring this up with the person’s manager.
rockn
(Rockn)
3
There are Powershell management scripts installed by default by the OS.
skidkidd
(Skidkidd)
4
Nah they don’t have admin creds. Normal user. I just thought it was interesting and wanted to see what you guys thought. They definitely can’t run it, but I was just a little surprised to see it.
Evan7191
(Evan7191)
5
If you have an application whitelist, you can block powershell.exe and powershell_ise.exe and/or block .ps1 files from executing for regular users.
2 Spice ups
I’d be surprised too! Maybe they want a job in your IT dept?
if he cant run it then, don’t worry.
maybe he google’s things and tries them out. I know I do at times still… 
1 Spice up
The first part just opens Powershell As an Admin, If this user does not have admin creds, that script is useless. Perhaps this user knows an admin login?
1 Spice up
jimender2
(jimender2)
9
I would take this opportunity to try the script out on his machine after taking out the delete and putting something else in.
I would also talk to the guy and see what he was trying to do.
1 Spice up
maybe instead of speculating what said user was doing or trying, perhaps just asking them “hey I noticed some PowerShell stuff, whats that about” and the end user might tell you it’s for a class they are taking or if its on a mobile, maybe they have a server at home and was managing their own stuff at home?
Just ask the question.
2 Spice ups
skidkidd
(Skidkidd)
11
that’s not a bad idea to try it out on his machine. I’m also going to double check his AD group to make sure he’s not an admin. I doubt he is but just to be sure.
houavang
(YellowFlash12)
12
A good attempt,
This guy one google search away from PowerShell user level 2.
Still a network share requires Cred to run from a local anyways, so no fear, unless he someone has local admin rights
Fear not,
Have a happy day
1 Spice up
It has happen on my watch, and even if it did not happen, with all the ransomware and the malware, i’d advise you to make a GPO to run only Signed script.
you can find info here:
That way only a person who own a code signing certificate will be able to make them and more importantly, Run them.
1 Spice up
skidkidd
(Skidkidd)
14
GPO may not be a bad idea. I did talk to him about it. he said he is learning to script and wasn’t going to run it, he also realized why I was being kinda cautious and apologized about the delete.
1 Spice up
Have blocked PowerShell using applocker.
