sigmaDRL-1.1from SigmaHQ/sigma
PSScriptPolicyTest Creation By Uncommon Process
Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.
Quality
64
FP risk
—
Forks
0
Views
0
Rule sourcerules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml
title: PSScriptPolicyTest Creation By Uncommon Process
id: 1027d292-dd87-4a1a-8701-2abe04d7783c
status: test
description: Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.
references:
- https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-01
modified: 2025-10-07
tags:
- attack.defense-evasion
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '__PSScriptPolicyTest_'
filter_main_powershell:
Image:
- 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
- 'C:\Program Files\PowerShell\7\pwsh.exe'
- 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
- 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
- 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
- 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
filter_main_pwsh_preview:
Image|contains:
- 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
- '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview'
Image|endswith: '\pwsh.exe'
filter_main_generic:
Image:
- 'C:\Windows\System32\dsac.exe'
- 'C:\Windows\System32\sdiagnhost.exe'
- 'C:\Windows\System32\ServerManager.exe'
- 'C:\Windows\System32\wsmprovhost.exe'
- 'C:\Windows\SysWOW64\sdiagnhost.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium