Detectionlowtest
PowerShell Script Dropped Via PowerShell.EXE
Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event
Events for file system activity including creation, modification, and deletion.
Detection Logic
Detection Logic4 selectors
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
TargetFilename|endswith: '.ps1'
filter_main_psscriptpolicytest:
TargetFilename|contains: '__PSScriptPolicyTest_'
filter_main_appdata:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains: '\AppData\Local\Temp\'
filter_main_windows_temp:
TargetFilename|startswith: 'C:\Windows\Temp\'
condition: selection and not 1 of filter_main_*False Positives
False positives will differ depending on the environment and scripts used. Apply additional filters accordingly.
References
MITRE ATT&CK
Tactics
Rule Metadata
Rule ID
576426ad-0131-4001-ae01-be175da0c108
Status
test
Level
low
Type
Detection
Created
Tue May 09
Author
Path
rules/windows/file/file_event/file_event_win_powershell_drop_powershell.yml
Raw Tags
attack.persistence