PowerShell Module File Created
Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc.
Sigma rule (View on GitHub)
1title: PowerShell Module File Created
2id: e36941d0-c0f0-443f-bc6f-cb2952eb69ea
3status: test
4description: Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc.
5references:
6 - Internal Research
7 - https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023-05-09
10tags:
11 - attack.persistence
12logsource:
13 category: file_event
14 product: windows
15detection:
16 selection:
17 Image|endswith:
18 - '\powershell.exe'
19 - '\pwsh.exe'
20 TargetFilename|contains:
21 - '\WindowsPowerShell\Modules\'
22 - '\PowerShell\7\Modules\'
23 condition: selection
24falsepositives:
25 - Likely
26level: low
References
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- AWS ECS Task Definition That Queries The Credential Endpoint