PSScriptPolicyTest Creation By Uncommon Process

calendar Dec 21, 2023 · attack.defense_evasion  ·
Share on: linkedin copy

Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.

Sigma rule (View on GitHub)

 1title: PSScriptPolicyTest Creation By Uncommon Process
 2id: 1027d292-dd87-4a1a-8701-2abe04d7783c
 3status: experimental
 4description: Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.
 5references:
 6    - https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/06/01
 9modified: 2023/12/11
10tags:
11    - attack.defense_evasion
12logsource:
13    product: windows
14    category: file_event
15detection:
16    selection:
17        TargetFilename|contains: '__PSScriptPolicyTest_'
18    filter_main_generic:
19        Image|endswith:
20            - ':\Program Files\PowerShell\7-preview\pwsh.exe'
21            - ':\Program Files\PowerShell\7\pwsh.exe'
22            - ':\Windows\System32\dsac.exe'
23            - ':\Windows\System32\sdiagnhost.exe'
24            - ':\Windows\System32\ServerManager.exe'
25            - ':\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
26            - ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
27            - ':\Windows\System32\wsmprovhost.exe'
28            - ':\Windows\SysWOW64\sdiagnhost.exe'
29            - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
30            - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
31    condition: selection and not 1 of filter_main_*
32falsepositives:
33    - Unknown
34level: medium

References

Related rules

to-top