PSScriptPolicyTest Creation By Uncommon Process
Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.
Sigma rule (View on GitHub)
1title: PSScriptPolicyTest Creation By Uncommon Process
2id: 1027d292-dd87-4a1a-8701-2abe04d7783c
3status: test
4description: Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.
5references:
6 - https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-06-01
9modified: 2023-12-11
10tags:
11 - attack.defense-evasion
12logsource:
13 product: windows
14 category: file_event
15detection:
16 selection:
17 TargetFilename|contains: '__PSScriptPolicyTest_'
18 filter_main_generic:
19 Image|endswith:
20 - ':\Program Files\PowerShell\7-preview\pwsh.exe'
21 - ':\Program Files\PowerShell\7\pwsh.exe'
22 - ':\Windows\System32\dsac.exe'
23 - ':\Windows\System32\sdiagnhost.exe'
24 - ':\Windows\System32\ServerManager.exe'
25 - ':\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
26 - ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
27 - ':\Windows\System32\wsmprovhost.exe'
28 - ':\Windows\SysWOW64\sdiagnhost.exe'
29 - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
30 - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
31 condition: selection and not 1 of filter_main_*
32falsepositives:
33 - Unknown
34level: medium
References
Related rules
- Binary Proxy Execution Via Dotnet-Trace.EXE
- DLL Names Used By SVR For GraphicalProton Backdoor
- Enable LM Hash Storage
- Forfiles.EXE Child Process Masquerading
- HackTool - EDRSilencer Execution