Detection rules › Sigma

PSScriptPolicyTest Creation By Uncommon Process

Status
test
Severity
medium
Author
Nasreddine Bencherchali (Nextron Systems)
Source
github.com/SigmaHQ/sigma

Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.

Event coverage

ProviderEventTitle
SysmonEvent ID 11FileCreate

Rule body yaml

title: PSScriptPolicyTest Creation By Uncommon Process
id: 1027d292-dd87-4a1a-8701-2abe04d7783c
status: test
description: Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.
references:
    - https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-01
modified: 2025-10-07
tags:
    - attack.stealth
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains: '__PSScriptPolicyTest_'
    filter_main_powershell:
        Image:
            - 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
            - 'C:\Program Files\PowerShell\7\pwsh.exe'
            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
            - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
            - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
    filter_main_pwsh_preview:
        Image|contains:
            - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
            - '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview'
        Image|endswith: '\pwsh.exe'
    filter_main_generic:
        Image:
            - 'C:\Windows\System32\dsac.exe'
            - 'C:\Windows\System32\sdiagnhost.exe'
            - 'C:\Windows\System32\ServerManager.exe'
            - 'C:\Windows\System32\wsmprovhost.exe'
            - 'C:\Windows\SysWOW64\sdiagnhost.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

Stages and Predicates

Stage 0: condition

selection and not 1 of filter_main_*

Stage 1: selection

selection:
    TargetFilename|contains: '__PSScriptPolicyTest_'

Stage 2: not filter_main_*

filter_main_powershell:
    Image:
        - 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
        - 'C:\Program Files\PowerShell\7\pwsh.exe'
        - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
        - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
        - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
filter_main_pwsh_preview:
    Image|contains:
        - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
        - '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview'
    Image|endswith: '\pwsh.exe'
filter_main_generic:
    Image:
        - 'C:\Windows\System32\dsac.exe'
        - 'C:\Windows\System32\sdiagnhost.exe'
        - 'C:\Windows\System32\ServerManager.exe'
        - 'C:\Windows\System32\wsmprovhost.exe'
        - 'C:\Windows\SysWOW64\sdiagnhost.exe'

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

StageFieldKindExcluded values
2ImagematchC:\Program Files\WindowsApps\Microsoft.PowerShellPreview
2Imagematch\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview
2Imageends_with\pwsh.exe
2ImageeqC:\Program Files\PowerShell\7-preview\pwsh.exe
2ImageeqC:\Program Files\PowerShell\7\pwsh.exe
2ImageeqC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
2ImageeqC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe
2ImageeqC:\Windows\SysWOW64\sdiagnhost.exe
2ImageeqC:\Windows\System32\ServerManager.exe
2ImageeqC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2ImageeqC:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
2ImageeqC:\Windows\System32\dsac.exe
2ImageeqC:\Windows\System32\sdiagnhost.exe
2ImageeqC:\Windows\System32\wsmprovhost.exe

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
TargetFilenamematch
  • __PSScriptPolicyTest_ corpus 2 (sigma 2)