PowerShell Module File Created By Non-PowerShell Process
Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process
Sigma rule (View on GitHub)
1title: PowerShell Module File Created By Non-PowerShell Process
2id: e3845023-ca9a-4024-b2b2-5422156d5527
3status: test
4description: Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process
5references:
6 - Internal Research
7 - https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023-05-09
10modified: 2023-10-18
11tags:
12 - attack.persistence
13logsource:
14 category: file_event
15 product: windows
16detection:
17 selection:
18 TargetFilename|contains:
19 - '\WindowsPowerShell\Modules\'
20 - '\PowerShell\7\Modules\'
21 filter_main_pwsh:
22 Image|endswith:
23 - ':\Program Files\PowerShell\7-preview\pwsh.exe'
24 - ':\Program Files\PowerShell\7\pwsh.exe'
25 - ':\Windows\System32\poqexec.exe' # https://github.com/SigmaHQ/sigma/issues/4448
26 - ':\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
27 - ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
28 - ':\Windows\SysWOW64\poqexec.exe' # https://github.com/SigmaHQ/sigma/issues/4448
29 - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
30 - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
31 condition: selection and not 1 of filter_main_*
32falsepositives:
33 - Unknown
34level: medium
References
Related rules
- ChromeLoader Malware Execution
- DarkGate - User Created Via Net.EXE
- Diamond Sleet APT Scheduled Task Creation
- Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
- Schtasks Creation Or Modification With SYSTEM Privileges