Investigation of McAfee Endpoint Agent and Powershell interaction
Recently I came across the logs issued by my McAfee Endpoint Agent that looked suspicious to me. It looked like this. So, svchost.exe started powershell.exe. Based on our corporate policy, this action wasn't blocked. Still, I was not aware there is a powershell running on my laptop in the background. Also the fact it was run by a system process raised an alarm. I decided at this point to investigate what is actually going on here. The first step was to run a process monitor and observe what is powershell.exe doing. Maybe I can get some idea from the detailed dump from process monitor what exactly it is doing, which script it executes etc. I stared process monitor with filter set to process name "powershell.exe". And indeed, powershell was loading some system DLLs,creating, reading some registry keys etc. The detail that attracted my attention here was the process conhost.exe - very similar to cmd.exe, so another command shell. The whole dump from Process Monitor wa