This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi all,
for two days perhaps coincidentally since the security updates were released via SCCM,
the following alarms alerts are continuously generated on Windows Server 2019 servers by Microsoft 365 Defender:
'SuspiciousScriptDrop' malware was prevented
'SuspiciousScriptDrop' malware was prevented on a Microsoft SQL server
'SuspiciousScriptDrop' malware was prevented on an IIS Web server
the event seems to be generated by the execution of a powershell script which always changes the final part of the name:
_PSScriptPolicyTest_e5xewz2b.d1e.ps1
__PSScriptPolicyTest_hfszzy13.twt.ps1
__PSScriptPolicyTest_mvd5cukz.i50.ps1
__PSScriptPolicyTest_buadpcch.hak.ps1
the malware detected is the following (VirusTotal detection ratio 0/0):
Trojan:JS/SuspiciousScriptDrop.B!pwsh
the file path is always:
C:\Windows\Temp\
the usser is always the LocalSystem user:
NT AUTHORITY\SYSTEM
command line:
powershell.exe -NoLogo -NoProfile -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File Maintenance.ps1
Why are these alarms generated? Do we have to go deep into their analysis or are they false positives?
Do we have to go deep into their analysis or are they false positives?
they are false-positive. These scripts are automatically generated and dropped to Temp folder (system or user, depending on a running user account) by PowerShell itself. Since version 5.1, PowerShell actively enforces constrained (restrictive) language mode depending on SRP/Applocker enforcement. When you start the PowerShell, a temporary script is generated and attempted to execute. If file is blocked, PowerShell starts in constrained language mode which greatly limits the functionality of the PS engine. If file is not blocked, PowerShell starts in unrestricted language mode. Here are more details from official PowerShell Team blog: https://devblogs.microsoft.com/powershell/powershell-the-blue-team/#constrained-powershell
you can completely ignore these that contain "PSScriptPolicyTest" alerts.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 43%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EY%3C/text%3E%3C/svg%3E)
We cannot ignore this alert of type "Creation of Suspicious File with Double Extensions". It violates MITRE.T1036/XSAE.F2988. Can Microsoft take this as security bug and fix it?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 81%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
Try submit the script to the Microsoft Anti-Malware portal, take a look at:
https://www.microsoft.com/en-us/wdsi/filesubmission
And see if it being detected as malware too?
If not you may submit a ticket to the Microsoft Defender 365 team.
@Vadims Podāns thank you for your answer.
I thought it was a false positive, but I wanted the confirmation, also because it seems strange to me the alarm was generated only on 4 servers out of 200.
Thank you,
Alfio
it seems strange to me the alarm was generated only on 4 servers out of 200.
I can't tell this. You may need to look how your alerts are configured and what servers are covered.