PSScriptPolicyTest Creation By Uncommon Process

 1title: PSScriptPolicyTest Creation By Uncommon Process
 2id: 1027d292-dd87-4a1a-8701-2abe04d7783c
 3status: test
 4description: Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.
 5references:
 6    - https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-06-01
 9modified: 2025-10-07
10tags:
11    - attack.defense-evasion
12logsource:
13    product: windows
14    category: file_event
15detection:
16    selection:
17        TargetFilename|contains: '__PSScriptPolicyTest_'
18    filter_main_powershell:
19        Image:
20            - 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
21            - 'C:\Program Files\PowerShell\7\pwsh.exe'
22            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
23            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
24            - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
25            - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
26    filter_main_pwsh_preview:
27        Image|contains:
28            - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
29            - '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview'
30        Image|endswith: '\pwsh.exe'
31    filter_main_generic:
32        Image:
33            - 'C:\Windows\System32\dsac.exe'
34            - 'C:\Windows\System32\sdiagnhost.exe'
35            - 'C:\Windows\System32\ServerManager.exe'
36            - 'C:\Windows\System32\wsmprovhost.exe'
37            - 'C:\Windows\SysWOW64\sdiagnhost.exe'
38    condition: selection and not 1 of filter_main_*
39falsepositives:
40    - Unknown
41level: medium