← Back to Explore
sigmalowHunting
PowerShell Script Dropped Via PowerShell.EXE
Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.
Detection Query
selection:
Image|endswith:
- \powershell.exe
- \pwsh.exe
TargetFilename|endswith: .ps1
filter_main_psscriptpolicytest:
TargetFilename|contains: __PSScriptPolicyTest_
filter_main_appdata:
TargetFilename|startswith: C:\Users\
TargetFilename|contains: \AppData\Local\Temp\
filter_main_windows_temp:
TargetFilename|startswith: C:\Windows\Temp\
condition: selection and not 1 of filter_main_*
Author
frack113
Created
2023-05-09
Data Sources
windowsFile Events
Platforms
windows
References
Tags
attack.persistence
Raw Content
title: PowerShell Script Dropped Via PowerShell.EXE
id: 576426ad-0131-4001-ae01-be175da0c108
status: test
description: Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.
references:
- https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
author: frack113
date: 2023-05-09
tags:
- attack.persistence
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
TargetFilename|endswith: '.ps1'
filter_main_psscriptpolicytest:
TargetFilename|contains: '__PSScriptPolicyTest_'
filter_main_appdata:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains: '\AppData\Local\Temp\'
filter_main_windows_temp:
TargetFilename|startswith: 'C:\Windows\Temp\'
condition: selection and not 1 of filter_main_*
falsepositives:
- False positives will differ depending on the environment and scripts used. Apply additional filters accordingly.
level: low