EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

PSScriptPolicyTest Creation By Uncommon Process

Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.

Detection Query

selection:
  TargetFilename|contains: __PSScriptPolicyTest_
filter_main_powershell:
  Image:
    - C:\Program Files\PowerShell\7-preview\pwsh.exe
    - C:\Program Files\PowerShell\7\pwsh.exe
    - C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
    - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe
    - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
filter_main_pwsh_preview:
  Image|contains:
    - C:\Program Files\WindowsApps\Microsoft.PowerShellPreview
    - \AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview
  Image|endswith: \pwsh.exe
filter_main_generic:
  Image:
    - C:\Windows\System32\dsac.exe
    - C:\Windows\System32\sdiagnhost.exe
    - C:\Windows\System32\ServerManager.exe
    - C:\Windows\System32\wsmprovhost.exe
    - C:\Windows\SysWOW64\sdiagnhost.exe
condition: selection and not 1 of filter_main_*

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2023-06-01

Data Sources

windowsFile Events

Platforms

windows

References

Tags

attack.defense-evasion
Raw Content
title: PSScriptPolicyTest Creation By Uncommon Process
id: 1027d292-dd87-4a1a-8701-2abe04d7783c
status: test
description: Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.
references:
    - https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-01
modified: 2025-10-07
tags:
    - attack.defense-evasion
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains: '__PSScriptPolicyTest_'
    filter_main_powershell:
        Image:
            - 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
            - 'C:\Program Files\PowerShell\7\pwsh.exe'
            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
            - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
            - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
    filter_main_pwsh_preview:
        Image|contains:
            - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
            - '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview'
        Image|endswith: '\pwsh.exe'
    filter_main_generic:
        Image:
            - 'C:\Windows\System32\dsac.exe'
            - 'C:\Windows\System32\sdiagnhost.exe'
            - 'C:\Windows\System32\ServerManager.exe'
            - 'C:\Windows\System32\wsmprovhost.exe'
            - 'C:\Windows\SysWOW64\sdiagnhost.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium