Adversaries may use PowerShell.EXE to drop and execute malicious PowerShell scripts (.ps1) as part of initial compromise or persistence efforts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential dropper scripts that could lead to further malicious activity.
Detection Rule
title: PowerShell Script Dropped Via PowerShell.EXE
id: 576426ad-0131-4001-ae01-be175da0c108
status: test
description: Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.
references:
- https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
author: frack113
date: 2023-05-09
tags:
- attack.persistence
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
TargetFilename|endswith: '.ps1'
filter_main_psscriptpolicytest:
TargetFilename|contains: '__PSScriptPolicyTest_'
filter_main_appdata:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains: '\AppData\Local\Temp\'
filter_main_windows_temp:
TargetFilename|startswith: 'C:\Windows\Temp\'
condition: selection and not 1 of filter_main_*
falsepositives:
- False positives will differ depending on the environment and scripts used. Apply additional filters accordingly.
level: low
imFileEvent
| where ((TargetFilePath endswith "\\powershell.exe" or TargetFilePath endswith "\\pwsh.exe") and TargetFileName endswith ".ps1") and (not((TargetFileName contains "__PSScriptPolicyTest_" or (TargetFileName startswith "C:\\Users\\" and TargetFileName contains "\\AppData\\Local\\Temp\\") or TargetFileName startswith "C:\\Windows\\Temp\\")))Scenario: Scheduled Job Creation via Task Scheduler
Description: An administrator creates a scheduled task that runs a .ps1 script as part of routine system maintenance.
Filter/Exclusion: process.parent.name == "schtasks.exe" or process.name == "schtasks.exe"
Scenario: PowerShell Script for System Update or Patching
Description: A legitimate script is used to apply system updates or patches, which involves creating a .ps1 file temporarily.
Filter/Exclusion: process.command_line contains "Update-Script" or "patching" or process.name == "powershell.exe" and process.parent.name == "windowsupdate.exe"
Scenario: Admin Task Using PowerShell for Configuration Management
Description: A system administrator uses PowerShell to configure settings across multiple servers, which may involve generating or executing .ps1 scripts.
Filter/Exclusion: process.name == "powershell.exe" and process.parent.name == "explorer.exe" or "cmd.exe" with a user in the Administrators group
Scenario: PowerShell Module Installation
Description: A PowerShell module is being installed using Install-Module, which may involve creating temporary .ps1 files during the installation process.
Filter/Exclusion: process.command_line contains "Install-Module" or "PowerShellGet" or process.name == "powershell.exe" and process.parent.name == "msiexec.exe"
Scenario: PowerShell Script for Log File Analysis
Description: A script is written to analyze log files and generate a .ps1 file for processing, which is then executed.
Filter/Exclusion: process.command_line contains "log analysis" or "log processing" or `process.name == “powershell.exe” and process.parent.name == “notepad