feat: new rule Potential Binary Or Script Dropper Via PowerShell.EXE (

#4116)

rules/windows/file/file_event/file_event_win_powershell_drop_binary.yml

@@ -0,0 +1,39 @@
+title: Potential Binary Or Script Dropper Via PowerShell.EXE
+id: 7047d730-036f-4f40-b9d8-1c63e36d5e62
+status: experimental
+description: Detects PowerShell creating a binary executable or script file.
+references:
+    - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
+author: frack113
+date: 2023/03/17
+tags:
+    - attack.persistence
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection:
+        Image|endswith:
+            - '\powershell.exe'
+            - '\pwsh.exe'
+        TargetFilename|endswith:
+            - '.bat'
+            - '.com'
+            - '.dll'
+            - '.exe'
+            - '.ocx'
+            - '.ps1'
+            - '.scr'
+            - '.sys'
+            - '.vbs'
+    filter_psscriptpolicytest:
+        TargetFilename|contains: '__PSScriptPolicyTest_'
+    filter_appdata:
+        TargetFilename|startswith: 'C:\Users\'
+        TargetFilename|contains: '\AppData\Local\Temp\'
+    filter_windows_temp:
+        TargetFilename|startswith: 'C:\Windows\Temp\'
+    condition: selection and not 1 of filter_*
+falsepositives:
+    - Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware.
+level: medium