And the answer is PS creates a fake random named ps1 on login to see if it is auth'd under Applocker rules.
-----Original Message----- From: Kennedy, Jim Sent: Friday, December 2, 2016 2:25 PM To: [email protected]; ntsysadm Subject: RE: [NTSysADM] Odd <random>.ps1 files. Sorry, wrong forum. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kennedy, Jim Sent: Friday, December 2, 2016 2:23 PM To: ntsysadm; [email protected] Subject: [Exchange] [NTSysADM] Odd <random>.ps1 files. Seeing these from time to time from my SIEM. Not a lot but fairly consistently. C:\Users\<username>\AppData\Local\Temp\1hv3rbtn.tyz.ps1 These are regular students that can't even run powershell. Always a generated string for the file name. This is a pretty tight environment, the students don't even have email, their filter is very tight. So it's like I have a system generating them...but dang if I can think of one that would do that under a user context.
