[New WTFBin]: Nutanix Guest Tools Runs Encoded Powershell Commands

[mbabinski]

• Contributor Name: Micah Babinski (@micahbabinski)
• Application/Executable: Nutanix Guest Tools
• WTF Behavior Description: Nothing too exciting, just another software component that runs encoded powershell. While tuning an alert I observed two commands like: powershell.exe -NoProfile -EncodedCommand VwByAGkAdABlA ...... There appeared to be no logged parent process, at least in the environment where I observed it. The commands decode to: Get-WmiObject -Namespace root\wmi -Class MSiSCSIInitiator_SendTargetPortalClass | Foreach-Object { Write-Host $_.PortalAddress } and Write-Host (Get-WmiObject -Namespace root\wmi -Class MSiSCSIInitiator_MethodClass).iSCSINodeName.
• Link to Documentation of Behavior: https://www.reddit.com/r/nutanix/comments/cyvqkf/apparent_powershell_activity_on_host_vms/ CyberChef Recipe&input=UndCbEFIUUFMUUJYQUcwQWFRQlBBR0lBYWdCbEFHTUFkQUFnQUMwQVRnQmhBRzBBWlFCekFIQUFZUUJqQUdVQUlBQnlBRzhBYndCMEFGd0Fkd0J0QUdrQUlBQXRBRU1BYkFCaEFITUFjd0FnQUUwQVV3QnBBRk1BUXdCVEFFa0FTUUJ1QUdrQWRBQnBBR0VBZEFCdkFISUFYd0JUQUdVQWJnQmtBRlFBWVFCeUFHY0FaUUIwQUZBQWJ3QnlBSFFBWVFCc0FFTUFiQUJoQUhNQWN3QWdBSHdBSUFCR0FHOEFjZ0JsQUdFQVl3Qm9BQzBBVHdCaUFHb0FaUUJqQUhRQUlBQjdBQ0FBVndCeUFHa0FkQUJsQUMwQVNBQnZBSE1BZEFBZ0FDUUFYd0F1QUZBQWJ3QnlBSFFBWVFCc0FFRUFaQUJrQUhJQVpRQnpBSE1BSUFCOUFB)
• Please provide any images for additional evidence. None, log screenshots available upon request!

[mttaggart]

Thanks for your patience, and the great submission as always, @mbabinski! Added in 3c70947