Sorry, wrong forum.

-----Original Message-----
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kennedy, Jim
Sent: Friday, December 2, 2016 2:23 PM
To: ntsysadm; exchange@lists.myitforum.com
Subject: [Exchange] [NTSysADM] Odd <random>.ps1 files.

Seeing these from time to time from my SIEM.  Not a lot but fairly consistently.

C:\Users\<username>\AppData\Local\Temp\1hv3rbtn.tyz.ps1

These are regular students that can't even run powershell.  Always a generated 
string for the file name.  This is a pretty tight environment, the students 
don't even have email, their filter is very tight.  So it's like I have a 
system generating them...but dang if I can think of one that would do that 
under a user context.

Reply via email to