Potential Suspicious PowerShell Module File Created

Detects the creation of a new PowerShell module in the first folder of the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". This is somewhat an uncommon practice as legitimate modules often includes a version folder.

Sigma rule (View on GitHub)

 1title: Potential Suspicious PowerShell Module File Created
 2id: e8a52bbd-bced-459f-bd93-64db45ce7657
 3status: test
 4description: Detects the creation of a new PowerShell module in the first folder of the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". This is somewhat an uncommon practice as legitimate modules often includes a version folder.
 5references:
 6    - Internal Research
 7    - https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023-05-09
10tags:
11    - attack.persistence
12logsource:
13    category: file_event
14    product: windows
15detection:
16    selection:
17        TargetFilename|endswith:
18            # Note: Don't include PowerShell 7 as it has default modules that don't follow this logic
19            - '\\WindowsPowerShell\\Modules\\*\.ps'
20            - '\\WindowsPowerShell\\Modules\\*\.dll'
21    condition: selection
22falsepositives:
23    - False positive rate will vary depending on the environments. Additional filters might be required to make this logic usable in production.
24level: medium

References

Related rules

to-top