Hello all, at August 4th, KSC registred a lot of events from different worksations in our network at same time: Event type: Process action blocked User: -- (Active user) Component: Adaptive Anomaly Control Rule name: PowerShell executes obfuscated code Source process: c:\windows\system32\wsmprovhost.exe Source process hash: 41caf4184b3e78ca14966207ff4fecwerwt3d2703b564ff3e6833d Source object: object://ps:521DC7CFF46F74C6D3C7FF734EDE49AD7A2370F1050ECF8B7A1B385D7 Target object: object://script:$error.Clear() $IDS1 = 1069,1137,1155,1159,1205,1254,1641,2041,10690,10691,10692,10693,10694,10695,10696,10697,10698,10699; $IDS2 = 11370,11371,11372,11373,11374,11375,11376,11377,11378,11379,11550,11551,11552,11553,11554,11555,11556,11557,11558,11559; $IDS3 = 12050,12051,12052,12053,12054,12055,12056,12057,12058,12059,12540,12541,12542,12543,12544,12545,12546,12547,12548,12549; $IDS4 = 13002,1409... Target object hash: 521dc7cfff734ede49ad7a2370f19ecf8b7a1b385d7 The first that come to my mind was PRTG trying to get some WMI data, but we are not monitoring workstations (usually servers and network devices), anyway, I stopped the service but there were more events. At afternoon finished and we didn't see it again. Some idea? thank you in advance
