Adaptive Anomaly Control - PowerShell executes obfuscated code

[hedel]

Hello all,

at August 4th, KSC registred a lot of events from different worksations in our network at same time:

Event type: Process action blocked
User: -- (Active user)
Component: Adaptive Anomaly Control
Rule name: PowerShell executes obfuscated code
Source process: c:\windows\system32\wsmprovhost.exe
Source process hash: 41caf4184b3e78ca14966207ff4fecwerwt3d2703b564ff3e6833d
Source object: object://ps:521DC7CFF46F74C6D3C7FF734EDE49AD7A2370F1050ECF8B7A1B385D7
Target object: object://script:$error.Clear() $IDS1 = 1069,1137,1155,1159,1205,1254,1641,2041,10690,10691,10692,10693,10694,10695,10696,10697,10698,10699; $IDS2 = 11370,11371,11372,11373,11374,11375,11376,11377,11378,11379,11550,11551,11552,11553,11554,11555,11556,11557,11558,11559; $IDS3 = 12050,12051,12052,12053,12054,12055,12056,12057,12058,12059,12540,12541,12542,12543,12544,12545,12546,12547,12548,12549; $IDS4 = 13002,1409...
Target object hash: 521dc7cfff734ede49ad7a2370f19ecf8b7a1b385d7

 

The first that come to my mind was PRTG trying to get some WMI data, but we are not monitoring workstations (usually servers and network devices), anyway, I stopped the service but there were more events. At afternoon finished and we didn't see it again.

Some idea?

thank you in advance

[Kinnari]

Greetings Hedel!

Please Update your  database and New update files should resolve this issue. 

Best Regards!