From 0c7b9c0b3cb036244d4bcbecea24988747875b17 Mon Sep 17 00:00:00 2001
From: Florian Martin <florian.martin@cea.fr>
Date: Wed, 21 Aug 2024 13:54:12 +0200
Subject: [PATCH 1/4] added an exclusion of PSScriptPolicyTest file creation
 for powershell 32 bits

---
 11_file_create/exclude_psscriptpolicytest.xml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/11_file_create/exclude_psscriptpolicytest.xml b/11_file_create/exclude_psscriptpolicytest.xml
index 95dc68a6..44ae1058 100644
--- a/11_file_create/exclude_psscriptpolicytest.xml
+++ b/11_file_create/exclude_psscriptpolicytest.xml
@@ -11,6 +11,11 @@
                <TargetFilename condition="contains all">C:\Windows\Temp;__PSScriptPolicyTest;.ps1</TargetFilename>
                <User condition="is">NT AUTHORITY\SYSTEM</User>
             </Rule>
+            <Rule groupRelation="and">
+               <Image condition="is">C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe</Image> 
+               <TargetFilename condition="contains all">C:\Windows\Temp;__PSScriptPolicyTest;.ps1</TargetFilename>
+               <User condition="is">NT AUTHORITY\SYSTEM</User>
+            </Rule>
          </FileCreate>
       </RuleGroup>
    </EventFiltering>

From b5420cf09090050d028b0167c0996633e51c8768 Mon Sep 17 00:00:00 2001
From: Florian Martin <florian.martin@cea.fr>
Date: Wed, 21 Aug 2024 13:55:25 +0200
Subject: [PATCH 2/4] added a file to exclude PSScriptPolicyTest file created
 by a user in AppData\Local\Temp

---
 .../exclude_psscriptpolicytest_user.xml          | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 11_file_create/exclude_psscriptpolicytest_user.xml

diff --git a/11_file_create/exclude_psscriptpolicytest_user.xml b/11_file_create/exclude_psscriptpolicytest_user.xml
new file mode 100644
index 00000000..8c5abe43
--- /dev/null
+++ b/11_file_create/exclude_psscriptpolicytest_user.xml
@@ -0,0 +1,16 @@
+<Sysmon schemaversion="4.30">
+   <EventFiltering>
+      <RuleGroup name="" groupRelation="or">
+         <FileCreate onmatch="exclude">
+            <Rule groupRelation="and">
+               <Image condition="is">C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe</Image> 
+               <TargetFilename condition="contains all">C:\Users\;\AppData\Local\Temp\;__PSScriptPolicyTest;.ps1</TargetFilename>
+            </Rule>
+            <Rule groupRelation="and">
+               <Image condition="is">C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe</Image> 
+               <TargetFilename condition="contains all">C:\Users\;\AppData\Local\Temp\;__PSScriptPolicyTest;.ps1</TargetFilename>
+            </Rule>
+         </FileCreate>
+      </RuleGroup>
+   </EventFiltering>
+</Sysmon>
\ No newline at end of file

From 25046530d4e63d3584f8d7635fa4f1e4bc1628af Mon Sep 17 00:00:00 2001
From: Florian Martin <florian.martin@cea.fr>
Date: Wed, 21 Aug 2024 13:58:27 +0200
Subject: [PATCH 3/4] added PSScriptPolicyTest file exclusion for event 23

---
 23_file_delete/exclude_psscriptpolicytest.xml | 22 +++++++++++++++++++
 .../exclude_psscriptpolicytest_user.xml       | 16 ++++++++++++++
 2 files changed, 38 insertions(+)
 create mode 100644 23_file_delete/exclude_psscriptpolicytest.xml
 create mode 100644 23_file_delete/exclude_psscriptpolicytest_user.xml

diff --git a/23_file_delete/exclude_psscriptpolicytest.xml b/23_file_delete/exclude_psscriptpolicytest.xml
new file mode 100644
index 00000000..c8bba3e3
--- /dev/null
+++ b/23_file_delete/exclude_psscriptpolicytest.xml
@@ -0,0 +1,22 @@
+<Sysmon schemaversion="4.60">
+   <EventFiltering>
+      <RuleGroup name="" groupRelation="or">
+         <FileDelete onmatch="exclude">
+            <Rule groupRelation="and">
+               <Image condition="is">C:\Windows\system32\wsmprovhost.exe</Image> 
+               <TargetFilename condition="contains all">C:\Users\;\AppData\Local\Temp;__PSScriptPolicyTest;.ps1</TargetFilename>
+            </Rule>
+            <Rule groupRelation="and">
+               <Image condition="is">C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe</Image> 
+               <TargetFilename condition="contains all">C:\Windows\Temp;__PSScriptPolicyTest;.ps1</TargetFilename>
+               <User condition="is">NT AUTHORITY\SYSTEM</User>
+            </Rule>
+            <Rule groupRelation="and">
+               <Image condition="is">C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe</Image> 
+               <TargetFilename condition="contains all">C:\Windows\Temp;__PSScriptPolicyTest;.ps1</TargetFilename>
+               <User condition="is">NT AUTHORITY\SYSTEM</User>
+            </Rule>
+         </FileDelete>
+      </RuleGroup>
+   </EventFiltering>
+</Sysmon>
\ No newline at end of file
diff --git a/23_file_delete/exclude_psscriptpolicytest_user.xml b/23_file_delete/exclude_psscriptpolicytest_user.xml
new file mode 100644
index 00000000..d548643c
--- /dev/null
+++ b/23_file_delete/exclude_psscriptpolicytest_user.xml
@@ -0,0 +1,16 @@
+<Sysmon schemaversion="4.60">
+   <EventFiltering>
+      <RuleGroup name="" groupRelation="or">
+         <FileDelete onmatch="exclude">
+            <Rule groupRelation="and">
+               <Image condition="is">C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe</Image> 
+               <TargetFilename condition="contains all">C:\Users\;\AppData\Local\Temp\;__PSScriptPolicyTest;.ps1</TargetFilename>
+            </Rule>
+            <Rule groupRelation="and">
+               <Image condition="is">C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe</Image> 
+               <TargetFilename condition="contains all">C:\Users\;\AppData\Local\Temp\;__PSScriptPolicyTest;.ps1</TargetFilename>
+            </Rule>
+         </FileDelete>
+      </RuleGroup>
+   </EventFiltering>
+</Sysmon>
\ No newline at end of file

From 8875724083eefdad5d174589b1e2c07f908f195a Mon Sep 17 00:00:00 2001
From: Florian Martin <florian.martin@cea.fr>
Date: Wed, 21 Aug 2024 13:58:34 +0200
Subject: [PATCH 4/4] added PSScriptPolicyTest file exclusion for event 26

---
 .../exclude_psscriptpolicytest.xml            | 22 +++++++++++++++++++
 .../exclude_psscriptpolicytest_user.xml       | 16 ++++++++++++++
 2 files changed, 38 insertions(+)
 create mode 100644 26_file_delete_detected/exclude_psscriptpolicytest.xml
 create mode 100644 26_file_delete_detected/exclude_psscriptpolicytest_user.xml

diff --git a/26_file_delete_detected/exclude_psscriptpolicytest.xml b/26_file_delete_detected/exclude_psscriptpolicytest.xml
new file mode 100644
index 00000000..945ac740
--- /dev/null
+++ b/26_file_delete_detected/exclude_psscriptpolicytest.xml
@@ -0,0 +1,22 @@
+<Sysmon schemaversion="4.60">
+   <EventFiltering>
+      <RuleGroup name="" groupRelation="or">
+         <FileDeleteDetected onmatch="exclude">
+            <Rule groupRelation="and">
+               <Image condition="is">C:\Windows\system32\wsmprovhost.exe</Image> 
+               <TargetFilename condition="contains all">C:\Users\;\AppData\Local\Temp;__PSScriptPolicyTest;.ps1</TargetFilename>
+            </Rule>
+            <Rule groupRelation="and">
+               <Image condition="is">C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe</Image> 
+               <TargetFilename condition="contains all">C:\Windows\Temp;__PSScriptPolicyTest;.ps1</TargetFilename>
+               <User condition="is">NT AUTHORITY\SYSTEM</User>
+            </Rule>
+            <Rule groupRelation="and">
+               <Image condition="is">C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe</Image> 
+               <TargetFilename condition="contains all">C:\Windows\Temp;__PSScriptPolicyTest;.ps1</TargetFilename>
+               <User condition="is">NT AUTHORITY\SYSTEM</User>
+            </Rule>
+         </FileDeleteDetected>
+      </RuleGroup>
+   </EventFiltering>
+</Sysmon>
\ No newline at end of file
diff --git a/26_file_delete_detected/exclude_psscriptpolicytest_user.xml b/26_file_delete_detected/exclude_psscriptpolicytest_user.xml
new file mode 100644
index 00000000..f1a67440
--- /dev/null
+++ b/26_file_delete_detected/exclude_psscriptpolicytest_user.xml
@@ -0,0 +1,16 @@
+<Sysmon schemaversion="4.60">
+   <EventFiltering>
+      <RuleGroup name="" groupRelation="or">
+         <FileDeleteDetected onmatch="exclude">
+            <Rule groupRelation="and">
+               <Image condition="is">C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe</Image> 
+               <TargetFilename condition="contains all">C:\Users\;\AppData\Local\Temp\;__PSScriptPolicyTest;.ps1</TargetFilename>
+            </Rule>
+            <Rule groupRelation="and">
+               <Image condition="is">C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe</Image> 
+               <TargetFilename condition="contains all">C:\Users\;\AppData\Local\Temp\;__PSScriptPolicyTest;.ps1</TargetFilename>
+            </Rule>
+         </FileDeleteDetected>
+      </RuleGroup>
+   </EventFiltering>
+</Sysmon>
\ No newline at end of file