I noticed that our Windows Server 2019 VMs, hosted on GCP were often hitting 100% CPU usage, which was odd and started to investigate. It seems that there is an array of PowerShell commands that are running repeatedly that are consuming all the CPU.
These commands seem to scan for user objects with certain names so it's either a GCP guard or some sort of worm/virus. I followed these instructions to log everything about PowerShell but it doesn't shed a lot of light because there is no script file, the commands are passed as arguments to PowerShell and they are always ran by SYSTEM user.
Example commands:
CommandInvocation(Export-ModuleMember): "Export-ModuleMember"
ParameterBinding(Export-ModuleMember): name="Function"; value="Unregister-ClusteredScheduledTask"
ParameterBinding(Export-ModuleMember): name="Alias"; value="*"
Context:
Severity = Informational
Host Name = ConsoleHost
Host Version = 5.1.17763.2183
Host ID = f786eeed-384f-4544-9869-0a9e6d414274
Host Application = powershell Get-ScheduledTask | Where-Object { ($_.Principal.userid -like "*administrator*") -and (($_.Principal.LogonType -eq 'Password') -or ($_.Principal.LogonType -eq 'InteractiveOrPassword')) } | Select-Object TaskName, @{n='Execute'; e={[System.IO.Path]::GetFileName([System.Environment]::ExpandEnvironmentVariables($_.Actions.Execute).Trim(""""))}}, @{n='Arguments'; e={[System.Environment]::ExpandEnvironmentVariables($_.Actions.Arguments)}}
CommandInvocation(Out-Default): "Out-Default"
Context:
Severity = Informational
Host Name = ConsoleHost
Host Version = 5.1.17763.2183
Host ID = aa27bff6-1e9f-482f-9e6f-bfb8b0a0648a
Host Application = powershell Get-WmiObject Win32_Service | Where-Object {$_.startname -Like '*INSPECTION*'}
I tried scanning the VM with Trend Micro Housecall and MBAM but both programs found no threats, except than repeated requests to port 3389 which presumably are brute force attempts.
Is this an attack? If so, how do I disable it?
