Detection rules › Sigma
PSScriptPolicyTest Creation By Uncommon Process
Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 11 | FileCreate |
Stages and Predicates
Stage 1: selection
TargetFilename|contains: __PSScriptPolicyTest_
Stage 2: not 1 of filter_main_*
or:
or:
Image|contains: 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
Image|contains: '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview'
Image|endswith: '\pwsh.exe'
Image: 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
Image: 'C:\Program Files\PowerShell\7\pwsh.exe'
Image: 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
Image: 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
Image: 'C:\Windows\SysWOW64\sdiagnhost.exe'
Image: 'C:\Windows\System32\ServerManager.exe'
Image: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
Image: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
Image: 'C:\Windows\System32\dsac.exe'
Image: 'C:\Windows\System32\sdiagnhost.exe'
Image: 'C:\Windows\System32\wsmprovhost.exe'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Image | ends_with |
|
Image | eq |
|
Image | match |
|
TargetFilename | match |
|