PowerShell Module File Created By Non-PowerShell Process

 1title: PowerShell Module File Created By Non-PowerShell Process
 2id: e3845023-ca9a-4024-b2b2-5422156d5527
 3status: experimental
 4description: Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process
 5references:
 6    - Internal Research
 7    - https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023/05/09
10modified: 2023/10/18
11tags:
12    - attack.persistence
13logsource:
14    category: file_event
15    product: windows
16detection:
17    selection:
18        TargetFilename|contains:
19            - '\WindowsPowerShell\Modules\'
20            - '\PowerShell\7\Modules\'
21    filter_main_pwsh:
22        Image|endswith:
23            - ':\Program Files\PowerShell\7-preview\pwsh.exe'
24            - ':\Program Files\PowerShell\7\pwsh.exe'
25            - ':\Windows\System32\poqexec.exe' # https://github.com/SigmaHQ/sigma/issues/4448
26            - ':\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
27            - ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
28            - ':\Windows\SysWOW64\poqexec.exe' # https://github.com/SigmaHQ/sigma/issues/4448
29            - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
30            - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
31    condition: selection and not 1 of filter_main_*
32falsepositives:
33    - Unknown
34level: medium