PowerShell Script Dropped Via PowerShell.EXE
Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.
Sigma rule (View on GitHub)
1title: PowerShell Script Dropped Via PowerShell.EXE
2id: 576426ad-0131-4001-ae01-be175da0c108
3status: test
4description: Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.
5references:
6 - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
7author: frack113
8date: 2023-05-09
9tags:
10 - attack.persistence
11logsource:
12 product: windows
13 category: file_event
14detection:
15 selection:
16 Image|endswith:
17 - '\powershell.exe'
18 - '\pwsh.exe'
19 TargetFilename|endswith: '.ps1'
20 filter_main_psscriptpolicytest:
21 TargetFilename|contains: '__PSScriptPolicyTest_'
22 filter_main_appdata:
23 TargetFilename|startswith: 'C:\Users\'
24 TargetFilename|contains: '\AppData\Local\Temp\'
25 filter_main_windows_temp:
26 TargetFilename|startswith: 'C:\Windows\Temp\'
27 condition: selection and not 1 of filter_main_*
28falsepositives:
29 - False positives will differ depending on the environment and scripts used. Apply additional filters accordingly.
30level: low
References
-
Zscaler ThreatLabz team observed multiple OneNote malware campaign spreading RATs, Bankers, and Stealer category malware with multi-layer obfuscation.
Read More
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- AWS ECS Task Definition That Queries The Credential Endpoint