PowerShell executes obfuscated code

  • 13 August 2021
  • 0 replies


Today my laptop show me the below event warning, can you help me understand this event?

I have others users/computers (Win10 2H1 - 19043.1151 + Endpoint in my enterprise with same warning.

Thanks, BS

- - -

Event: Process action blocked
User: ****\*****
User type: Active user
Application name: powershell.exe
Application path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0
Rule: PowerShell executes obfuscated code
Source process: c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Source process hash: 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
Source object: object://ps:9EA27D237C4C4BA87128189A0D09470768E9FB49C36C5836FA4E57F0DC76153A
Target object: object://script:Get-ChildItem -LiteralPath `HKLM:SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall` -ErrorAction `Stop` -ErrorVariable `+ErrorUninstallKeyPath` | ForEach-Object { Get-ItemProperty -LiteralPath $_.PSPath -ErrorAction `Stop` -ErrorVariable `+ErrorUninstallKeyPath` | Select-Object DisplayName, DisplayVersion | Where-Object...
Target object hash: 9ea27d237c4c4ba87128189a0d09470768e9fb49c36c5836fa4e57f0dc76153a
Result description: Blocked
Type: Anomaly
Name: PowerShell executes obfuscated code
Precision: Heuristic Analysis
Object type: Process
Object name: powershell.exe
Object path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0

This topic has been closed for comments