This detection rule identifies instances where PowerShell (via PowerShell.EXE or its PowerShell Core counterpart pwsh.EXE) creates a PowerShell script file (.ps1). This behavior can be associated with benign activities; however, it is also a potential indicator of malicious behavior, specifically when dropper scripts are employed to maintain persistence on an exploited system. The rule is designed to capture such occurrences while incorporating multiple conditions to filter out benign instances more effectively. The rule utilizes selections that highlight script creation from specific locations and includes filters to prevent false positives related to known safe script policies and commonly accessed directories. It is important to apply additional context or filters based on the specific environment to manage false positives effectively.