PSScriptPolicyTest Creation By Uncommon Process
Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.
Sigma rule (View on GitHub)
1title: PSScriptPolicyTest Creation By Uncommon Process
2id: 1027d292-dd87-4a1a-8701-2abe04d7783c
3status: experimental
4description: Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.
5references:
6 - https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-06-01
9modified: 2023-12-11
10tags:
11 - attack.defense-evasion
12logsource:
13 product: windows
14 category: file_event
15detection:
16 selection:
17 TargetFilename|contains: '__PSScriptPolicyTest_'
18 filter_main_generic:
19 Image|endswith:
20 - ':\Program Files\PowerShell\7-preview\pwsh.exe'
21 - ':\Program Files\PowerShell\7\pwsh.exe'
22 - ':\Windows\System32\dsac.exe'
23 - ':\Windows\System32\sdiagnhost.exe'
24 - ':\Windows\System32\ServerManager.exe'
25 - ':\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
26 - ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
27 - ':\Windows\System32\wsmprovhost.exe'
28 - ':\Windows\SysWOW64\sdiagnhost.exe'
29 - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
30 - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
31 condition: selection and not 1 of filter_main_*
32falsepositives:
33 - Unknown
34level: medium
References
Related rules
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity