Potential Suspicious PowerShell Module File Created
Detects the creation of a new PowerShell module in the first folder of the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". This is somewhat an uncommon practice as legitimate modules often includes a version folder.
Sigma rule (View on GitHub)
1title: Potential Suspicious PowerShell Module File Created
2id: e8a52bbd-bced-459f-bd93-64db45ce7657
3status: test
4description: Detects the creation of a new PowerShell module in the first folder of the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". This is somewhat an uncommon practice as legitimate modules often includes a version folder.
5references:
6 - Internal Research
7 - https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023/05/09
10tags:
11 - attack.persistence
12logsource:
13 category: file_event
14 product: windows
15detection:
16 selection:
17 TargetFilename|endswith:
18 # Note: Don't include PowerShell 7 as it has default modules that don't follow this logic
19 - '\\WindowsPowerShell\\Modules\\*\.ps'
20 - '\\WindowsPowerShell\\Modules\\*\.dll'
21 condition: selection
22falsepositives:
23 - False positive rate will vary depending on the environments. Additional filters might be required to make this logic usable in production.
24level: medium
References
Related rules
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser Templated S3 Bucket Policy Creation
- AWS IAM S3Browser User or AccessKey Creation
- Bitsadmin to Uncommon TLD
- File Download Via Bitsadmin To A Suspicious Target Folder