PowerShell Script Dropped Via PowerShell.EXE

Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.

Sigma rule (View on GitHub)

 1title: PowerShell Script Dropped Via PowerShell.EXE
 2id: 576426ad-0131-4001-ae01-be175da0c108
 3status: experimental
 4description: Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.
 5references:
 6    - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
 7author: frack113
 8date: 2023/05/09
 9tags:
10    - attack.persistence
11logsource:
12    product: windows
13    category: file_event
14detection:
15    selection:
16        Image|endswith:
17            - '\powershell.exe'
18            - '\pwsh.exe'
19        TargetFilename|endswith: '.ps1'
20    filter_main_psscriptpolicytest:
21        TargetFilename|contains: '__PSScriptPolicyTest_'
22    filter_main_appdata:
23        TargetFilename|startswith: 'C:\Users\'
24        TargetFilename|contains: '\AppData\Local\Temp\'
25    filter_main_windows_temp:
26        TargetFilename|startswith: 'C:\Windows\Temp\'
27    condition: selection and not 1 of filter_main_*
28falsepositives:
29    - False positives will differ depending on the environment and scripts used. Apply additional filters accordingly.
30level: low

References

Related rules

to-top