Unrecognized Powershell Command

Hello,

I am a registered user for Rider and was recently contacted by my cyber security department on a command that was executed while using Rider on my machine. I want to make sure that this is something that is normal and if possible, provide an explanation for my cyber security team on what the command does.

As to not include the entire command for security reasons, I am replacing a long string of text that looks like a cert with CERT_OMITTED. This is the command that was ran:

C:\WINDOWS\system32\cmd.exe" /c "pwsh -NoProfile -NonInteractive -EncodedCommand "CERT_OMITTED"

Here is some additional information if helpful for the hierarchy in which the command was executed:



1 comment
Comment actions Permalink

Hello,

Most likely it is a script to check Windows Defender parameters. You can easily check it by decoding an EncodedCommand. Its format is base64.

Please note, this command is normally executed without privilege elevation and thus cannot do any harm. If Rider decides it wants to change any Windows Defender parameters, a separate prompt will be shown, followed by a privilege elevation request if you accept it.

0

Please sign in to leave a comment.