.ps1 files auto-executing from C:\Windows\system32\config\systemprofile\AppData\Local\

Douglas Gray 1 Reputation point

Good afternoon,

I'm using sysmon and I've detected random .ps1 files running across my enterprise at different time intervals. I attempted to locate these .ps1 files on my local Windows 10 system and they have disappeared or been deleted. Is this some normal check that windows automatically runs or potentially something malicious. Below is a snippet of the command that is executed.

powershell -ExecutionPolicy ByPass -FILE \"C:\WINDOWS\system32\config\systemprofile\AppData\Local\cccbdc7c6d344222978a1a4d9a67e2ee.ps1\

I'm just trying to figure out if this is normal behavior as we're seeing across all workstations.

Any help would be greatly appreciated.


OS Versions: Windows 10

Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,456 questions
Microsoft Intune Application management
Microsoft Intune Application management
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Application management: The process of creating, configuring, managing, and monitoring applications.
914 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,720 questions
0 comments No comments
{count} votes

6 answers

Sort by: Most helpful
  1. Rich Matheisen 45,831 Reputation points

    If you can't identify it, consider it to be malicious.

    There's no "systemprofile" directory in C:\WINDOWS\system32\config that belongs there. I also doubt there'd be an "AppData" directory; that's the kind of directory you'd find in a user's profile. The "config" directory isn't accessible to normal users, either (unless you've changed the ACL).

    0 comments No comments

  2. Douglas Gray 1 Reputation point

    These are the files located in the folder. I'm wondering if they're possibly related to intune?


  3. Douglas Gray 1 Reputation point

    Thank you for your input. I added some intune tags to the original question. Hopefully that helps further the conversation. Based on what I see in the 'systemprofile' directory, I'm willing to bet it is related to intune, but need confirmation.

  4. Limitless Technology 39,496 Reputation points

    Hi there,

    In general, there shouldn't be any PS script running in the background unless your work environment requires some constant data collection and if you cannot find the original source of the script then it must be something to be taken seriously.

    In addition to sysmon I would also suggest you use Process Explorer which shows you information about which handles and DLLs processes have opened or loaded. You can get the tool from here https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer

    Locate the PowerShell process in the list and double-click it to see its properties. This will give details such as its command line, parent process, environment, and more. If you set the Lower Pane view to "Handles", you can also see used resources such as opened files


    --If the reply is helpful, please Upvote and Accept it as an answer–

    0 comments No comments

  5. Crystal-MSFT 46,086 Reputation points Microsoft Vendor

    @Douglas Gray , Based on my research, Appdata is used for per user configuration and data stores, to achieve a degree of user isolation. The system profile is not a template, it is the profile directory for the system user account.

    For the script, I didn't find it on my Intune enrolled device. As the directory will store system account configuration or data. And the script is with a random id. It is hard to say if it is Intune related. Was the script still there? Can we catch the script? if yes, we can look into the script to know more details.

    Hope it can help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments