-
Notifications
You must be signed in to change notification settings - Fork 87
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MeshAgent creating powershell.exe handles #256
Comments
ooo this is interesting! |
ah frig! thats what i was worried about! |
It's set to Dutch (The Netherlands) |
Uninstalled the agent from this vm for now (wasnt really required on it and it seems like a somewhat isolated issue). Let me know if I can do anything to help debug the issue. I'll be glad to run some tests to fix this. |
i found the commits i was talking about and it was to do with the bitlocker edit: can you also share a screenshot of the details tab? does it show information missing at all? |
Bitlocker is actually not enabled on this VM:
|
All looks OK, very weird? |
Yep. Same issue. |
Does it happen straight away right after u install the meshagent Or does it appear after a period of time? Also one thing to try is watch it in process explorer (Count number of powershells) Then run |
Straight away immediately after launch I see multiple powershell.exe processes spawning, only one of which persists and presumably fails to exit. Thats consistent behavior both before and after I reinstalled it. Then, with patience (I did not time it at all but I think like every 10-30mins or so) another powershell.exe process gets added to the process list. |
Yep, that's the Every 30ish mins, it will do a refresh of ur specs of ur computer! One way to trigger it manually is to run If u have a moment and happy too, email me the output from Then the missing information will be the culprit of the rogue powershell |
Here ya go, hope this helps and is what you meant (I redacted some serialno's/uid's with 000-000-0000 like strings).
|
Some more info;
Not sure if this helps but I can imagine it is relevant info |
Also,
By the way as this is the only host on my ~200 agent installs, (a few of which are on windows server vm's instead of win10 vm in the same ESX infrastructure) which seemingly is showing this behavior I also ran a |
I'm not able to replicate this issue, but I see that the windows_volumes uses a different line terminator than all other uses of powershell: MeshAgent/modules/identifiers.js Line 372 in 90f730c
It uses \n instead of \r\n. It looks like your volumes are returning, and it should only return if that powershell exits, but it does run on startup and is part of the sysinfo, so that might be a place to look for the issue, Simon. Is the information returned by the volumes accurate for that device? |
@HuFlungDu the volume stuff is now returned by the |
@HuFlungDu ive just pushed the fix in the meshcentral repo as i do believe you are right! Ylianst/MeshCentral@cf23a3d |
@JasperE84 if you are happy too, |
@JasperE84 1.1.29 was just released which included the fix above, |
Thanks, I've just upgraded the docker container to see if it is fixed and will let you know soon. |
@JasperE84 that's an interesting find... |
Unfortunately 3 stale powershell.exe processes within 40mins. |
can you share your config.json at all? |
can u also share you |
|
thank you @JasperE84
please can you now try these few things for me now as ur on the latest release
|
Sure, here you go!
|
All looks OK, but just out of curiosity What does this output? U will need to use cmd not powershell in meshcentral web ui
|
|
Hello,
Thanks a lot for this tool 👍 |
FYI, there is a way to log what commands get executed inside the PS session (even piped that is) by enabling the corresponding log on Windows. See https://www.socinvestigation.com/threat-hunting-using-powershell-and-fileless-malware-attacks/ for more info. As the last post by @InternalISTeam can indeed be a nuisance in monitored environment and to improve general security design, I think at least the telemetry stuff should be hard-coded in a script file with a specific path and executed (hopefully without arguments). That will allow easier auditing and thus safe whitelisting. |
Hello, thanks but we cannot find the parent from windows events (or hard to have it), no solution right now... so if one of the solution explained above could be developed it would be very nice ! |
On a Win10 virtual machine (on ESX) I have an issue with the Mesh Agent creating many powershell.exe instances.
This will slowly fill up the VM's memory until no virtual memory is left. The memory clears when the meshcentral is restarted.
Any ideas what could be causing this? I do not see any remote sessions in meshcentrals log for this host since the 24th of august and the memory consumption has been gradually growing since that date because of the many powershell.exe instances (see screenshot below).
Meshcentral version: 1.1.27
Host info:
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.18362 N/A Build 18362
MeshAgent info:
The text was updated successfully, but these errors were encountered: