Sorry, wrong forum. -----Original Message----- From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Kennedy, Jim Sent: Friday, December 2, 2016 2:23 PM To: ntsysadm; exchange@lists.myitforum.com Subject: [Exchange] [NTSysADM] Odd <random>.ps1 files.
Seeing these from time to time from my SIEM. Not a lot but fairly consistently. C:\Users\<username>\AppData\Local\Temp\1hv3rbtn.tyz.ps1 These are regular students that can't even run powershell. Always a generated string for the file name. This is a pretty tight environment, the students don't even have email, their filter is very tight. So it's like I have a system generating them...but dang if I can think of one that would do that under a user context.