PSScriptPolicyTest Creation By Uncommon Process

Hunt Hypothesis

The hypothesis is that an adversary is leveraging the PSScriptPolicyTest script to test or bypass script execution policies, potentially to execute malicious PowerShell code. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify potential script-based attacks that may evade standard detection mechanisms.

Detection Rule

Sigma (Original)

title: PSScriptPolicyTest Creation By Uncommon Process
id: 1027d292-dd87-4a1a-8701-2abe04d7783c
status: test
description: Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.
references:
    - https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-01
modified: 2025-10-07
tags:
    - attack.defense-evasion
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains: '__PSScriptPolicyTest_'
    filter_main_powershell:
        Image:
            - 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
            - 'C:\Program Files\PowerShell\7\pwsh.exe'
            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
            - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
            - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
    filter_main_pwsh_preview:
        Image|contains:
            - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
            - '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview'
        Image|endswith: '\pwsh.exe'
    filter_main_generic:
        Image:
            - 'C:\Windows\System32\dsac.exe'
            - 'C:\Windows\System32\sdiagnhost.exe'
            - 'C:\Windows\System32\ServerManager.exe'
            - 'C:\Windows\System32\wsmprovhost.exe'
            - 'C:\Windows\SysWOW64\sdiagnhost.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

KQL (Azure Sentinel)

imFileEvent
| where TargetFileName contains "__PSScriptPolicyTest_" and (not(((TargetFilePath in~ ("C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe", "C:\\Program Files\\PowerShell\\7\\pwsh.exe", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell_ise.exe", "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe")) or ((TargetFilePath contains "C:\\Program Files\\WindowsApps\\Microsoft.PowerShellPreview" or TargetFilePath contains "\\AppData\\Local\\Microsoft\\WindowsApps\\Microsoft.PowerShellPreview") and TargetFilePath endswith "\\pwsh.exe") or (TargetFilePath in~ ("C:\\Windows\\System32\\dsac.exe", "C:\\Windows\\System32\\sdiagnhost.exe", "C:\\Windows\\System32\\ServerManager.exe", "C:\\Windows\\System32\\wsmprovhost.exe", "C:\\Windows\\SysWOW64\\sdiagnhost.exe")))))

False Positive Guidance

• Scenario: Scheduled Job Creation via Task Scheduler
  Description: A system administrator creates a scheduled task using the Task Scheduler to run a legitimate PowerShell script for routine system maintenance.
  Filter/Exclusion: Check the TaskName or TaskDescription fields for known administrative tasks (e.g., SystemMaintenanceTask), and exclude events where the process is schtasks.exe.

• Scenario: PowerShell Script Deployment via SCCM/Intune
  Description: A deployment tool like Microsoft System Center Configuration Manager (SCCM) or Intune runs a PowerShell script to configure endpoints or deploy software.
  Filter/Exclusion: Filter by ProcessName to exclude msiexec.exe, setup.exe, or other known deployment tools. Also, check the script path against known enterprise script repositories.

• Scenario: PowerShell Script Run via Group Policy Preferences
  Description: A Group Policy Object (GPO) is configured to run a PowerShell script during user logon or logoff to apply settings or updates.
  Filter/Exclusion: Check the CommandLine or ScriptPath for GPO-related paths (e.g., C:\Windows\System32\GroupPolicy) and exclude events where the process is gpupdate.exe or gpresult.exe.

• Scenario: PowerShell Script Execution via Windows Task Scheduler for Backup
  Description: A backup tool like Veeam or Acronis uses a PowerShell script scheduled via Task Scheduler to perform regular backups.
  Filter/Exclusion: Filter by TaskName or CommandLine for known backup tools (e.g., VeeamBackupTask) and exclude events where the process is schtasks.exe or VeeamBackup.exe.

• Scenario: PowerShell Script Run via Windows PowerShell ISE for Development
  Description: A developer uses Windows PowerShell ISE

MITRE ATT&CK Context

• Tactic: Defense Evasion