[New WTFBin]: logmein.com
joaociocca opened this issue · 1 comments
joaociocca commented
- Contributor Name: Johnny Ciocca
- Application/Executable: logmein.com
- WTF Behavior Description: logmein.com triggers a cmd.exe execution of powershell.exe v1.0 with Bypass Execution Policy, which uses WebClient/OpenRead().CanRead to microsoft.com and google.com
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ExecutionPolicy Bypass -Command "((New-Object System.Net.WebClient).OpenRead('https://www.microsoft.com')).CanRead"
- Link to Documentation of Behavior: Unable to find any documentation of this behavior
- Please provide any images for additional evidence.
mttaggart commented
Hmm, I don't know why it would do this, but I don't feel like a program kicking off PowerShell is, by itself, enough to merit a WTFBin. If it were a bizarre domain or base64 encoded, maybe. Even -ep bypass is common enough.
I'm going to pass on this one for now, but I really appreciate the submission! Keep WTFBins in mind in the future!