Powershell commands in registry key?
Hey folks - we use and love Open Brush at the University of Minnesota - our IT Security flagged a potential issue though. I'm not a programmer; could you take a look at their message and let me know what you think? "Host is triggering alerts in Defender for suspicious process execution of powershell commands and suspicious powershell in registry. Upon investigation it appears that an application that was installed from Steam and is called TilBrush/OpenBrush. This program installation has stored powershell commands in hex in the registry key data value. This is very unusual and suspicious activity. Commands can be written in the registry for persistence by threat actors. It is not unheard of for Steam games to have malware. An attacker might be attempting to execute commands automatically without detection. The recommendation would be to remove this software from the Windows 10 device and scan the host with AV."
3 Replies
Hi. I can't see anything we're writing to the registry that could trigger that. Can they provide the registry path and/or the value being written?
Off the top of my head we only write to HKEY_CURRENT_USER\Software\Icosa\Open Brush
We have shell commands installed for offline rendering - but they aren't stored in the registry
[SteamLibrary]\steamapps\common\Open Brush\Support\bin has renderVideo.cmd - but it's an old style Windows batch file - not powershell...
Thanks! Let me send your response to our team and see what they say
Any word back? I'd like to mark this as resolved if possible.