Beginner SOC question – Wazuh/Sysmon PowerShell alert, possible false positive?
Hi everyone,
Wazuh, Sysmon, and alert analysis . I received an alert that I'm trying to understand better and would appreciate guidance on how an analyst would investigate it.
The Wazuh rule triggered:
Rule ID: 92213
Description: "Executable file dropped in folder commonly used by malware (Lowered Severity)"
MITRE: T1105 – Ingress Tool Transfer
Important details:
- Process:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe - File created:
C:\Users\someone\AppData\Local\Temp\__PSScriptPolicyTest_cebr0opm.pas.ps1 - Sysmon Event ID: 11 (File Create)
What confuses me is the filename:
__PSScriptPolicyTest_*.ps1
I found some information suggesting PowerShell can create temporary files while checking execution policies, but I’m not sure whether this should be considered suspicious behavior or expected activity.
My questions:
- Would you classify this as a true positive or false positive?
- What would be your first investigation steps?
- Which additional logs or Sysmon events would you pivot to?
- Does the MITRE mapping make sense here, or could this be a generic detection generating noise?
I'm trying to learn the investigation methodology and analyst thought process rather than just getting the answer.
Thanks!