▲ 5 r/Wazuh

Beginner SOC question – Wazuh/Sysmon PowerShell alert, possible false positive?

Hi everyone,

Wazuh, Sysmon, and alert analysis . I received an alert that I'm trying to understand better and would appreciate guidance on how an analyst would investigate it.

The Wazuh rule triggered:

Rule ID: 92213
Description: "Executable file dropped in folder commonly used by malware (Lowered Severity)"
MITRE: T1105 – Ingress Tool Transfer

Important details:

  • Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  • File created: C:\Users\someone\AppData\Local\Temp\__PSScriptPolicyTest_cebr0opm.pas.ps1
  • Sysmon Event ID: 11 (File Create)

What confuses me is the filename:

__PSScriptPolicyTest_*.ps1

I found some information suggesting PowerShell can create temporary files while checking execution policies, but I’m not sure whether this should be considered suspicious behavior or expected activity.

My questions:

  1. Would you classify this as a true positive or false positive?
  2. What would be your first investigation steps?
  3. Which additional logs or Sysmon events would you pivot to?
  4. Does the MITRE mapping make sense here, or could this be a generic detection generating noise?

I'm trying to learn the investigation methodology and analyst thought process rather than just getting the answer.

Thanks!

reddit.com
u/SignatureForward9397 — 5 days ago

Beginner SOC question about a PowerShell/Wazuh alert

Hi everyone,

Wazuh, Sysmon, and alert analysis . I received an alert that I'm trying to understand better and would appreciate guidance on how an analyst would investigate it.

The Wazuh rule triggered:

Rule ID: 92213
Description: "Executable file dropped in folder commonly used by malware (Lowered Severity)"
MITRE: T1105 – Ingress Tool Transfer

Important details:

  • Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  • File created: C:\Users\someone\AppData\Local\Temp\__PSScriptPolicyTest_cebr0opm.pas.ps1
  • Sysmon Event ID: 11 (File Create)

What confuses me is the filename:

__PSScriptPolicyTest_*.ps1

I found some information suggesting PowerShell can create temporary files while checking execution policies, but I’m not sure whether this should be considered suspicious behavior or expected activity.

My questions:

  1. Would you classify this as a true positive or false positive?
  2. What would be your first investigation steps?
  3. Which additional logs or Sysmon events would you pivot to?
  4. Does the MITRE mapping make sense here, or could this be a generic detection generating noise?

I'm trying to learn the investigation methodology and analyst thought process rather than just getting the answer.

Thanks!

reddit.com
u/SignatureForward9397 — 5 days ago

Beginner SOC question about a PowerShell/Wazuh alert

Hi everyone,

Wazuh, Sysmon, and alert analysis . I received an alert that I'm trying to understand better and would appreciate guidance on how an analyst would investigate it.

The Wazuh rule triggered:

Rule ID: 92213
Description: "Executable file dropped in folder commonly used by malware (Lowered Severity)"
MITRE: T1105 – Ingress Tool Transfer

Important details:

  • Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  • File created: C:\Users\someone\AppData\Local\Temp\__PSScriptPolicyTest_cebr0opm.pas.ps1
  • Sysmon Event ID: 11 (File Create)

What confuses me is the filename:

__PSScriptPolicyTest_*.ps1

I found some information suggesting PowerShell can create temporary files while checking execution policies, but I’m not sure whether this should be considered suspicious behavior or expected activity.

My questions:

  1. Would you classify this as a true positive or false positive?
  2. What would be your first investigation steps?
  3. Which additional logs or Sysmon events would you pivot to?
  4. Does the MITRE mapping make sense here, or could this be a generic detection generating noise?

I'm trying to understand the investigation methodology and analyst thought process rather than just getting the answer.

Thanks!

reddit.com
u/SignatureForward9397 — 5 days ago

Buying my first Rolex - please help me choose the right one

After a lot of saving I’m finally pulling the trigger on my first Rolex and I’ve narrowed it down to three watches from a local dealer. Would love some input from people who actually know these watches before I commit.
Here’s what I’m looking at:

  1. Rolex Submariner No-Date (2019, full set) — €10,200
  2. Rolex Datejust 41mm Blue Dial on Jubilee (2018, full set, like new) — €12,700
  3. Rolex Datejust 41mm Diamond Dial, Slate/Rhodium (2023, full set, like new) — €14,200
    All are pre-owned full sets from the same dealer.
    My lifestyle is fairly active — I wear watches daily and want something that can handle both casual and more dressed-up occasions. I’m not necessarily chasing investment value but I wouldn’t mind something that holds well.
    A few questions:
    • Is the Sub worth it as a first Rolex even though it’s sport-focused?
    • Between the two Datejusts, is the diamond dial worth the extra ~€1,500 or is the blue dial the smarter buy?
    • Any concerns about the years on these? The 2019 Sub and 2018 DJ vs the newer 2023 DJ?
    Appreciate any advice — especially from people who own or have owned these references!
reddit.com
u/SignatureForward9397 — 20 days ago