PSScriptPolicyTest Creation By Uncommon Process

Rule Info

Name
PSScriptPolicyTest Creation By Uncommon Process
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.
Reference
https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/
Date
2023-06-01 00:00:00
Modified
2025-10-07 00:00:00
Id
1027d292-dd87-4a1a-8701-2abe04d7783c
Tags
attack.stealth
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=1027d292-dd87-4a1a-8701-2abe04d7783c

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #5966 from @nasbench - Update mitre tags to use attack v19
2026-04-29
34c5d66c2
phantinuss
Merge PR #5679 from @swachchhanda000 - chore: update evtx baseline to v0.8.2
2025-10-09
b242175fe
github-actions[bot]
Merge PR #5065 from @nasbench - Promote older rules status from `experimental` to `test`
2024-11-01
f53335056
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
Nasreddine Bencherchali
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21
e05267714
Nasreddine Bencherchali
Merge PR #4491 from @nasbench - Rule Updates & Fixes
2023-10-23
edf0ff5cc
Nasreddine Bencherchali
chore: fix fp found in testing
2023-06-01
0c7547041
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022