Feb 12 2022 02:25 PM
Hi all,
for two days perhaps coincidentally since the security updates were released via SCCM,
the following alarms alerts are continuously generated on Windows Server 2019 servers by Microsoft 365 Defender:
'SuspiciousScriptDrop' malware was prevented
'SuspiciousScriptDrop' malware was prevented on a Microsoft SQL server
'SuspiciousScriptDrop' malware was prevented on an IIS Web server
the event seems to be generated by the execution of a powershell script which always changes the final part of the name:
_PSScriptPolicyTest_e5xewz2b.d1e.ps1
__PSScriptPolicyTest_hfszzy13.twt.ps1
__PSScriptPolicyTest_mvd5cukz.i50.ps1
__PSScriptPolicyTest_buadpcch.hak.ps1
the malware detected is the following (VirusTotal detection ratio 0/0):
Trojan:JS/SuspiciousScriptDrop.B!pwsh
the file path is always:
C:\Windows\Temp\
the usser is always the LocalSystem user:
NT AUTHORITY\SYSTEM
command line:
powershell.exe -NoLogo -NoProfile -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File Maintenance.ps1
Why are these alarms generated? Do we have to go deep into their analysis or are they false positives?