Import PowerShell Modules From Suspicious Directories

 1title: Import PowerShell Modules From Suspicious Directories
 2id: 21f9162c-5f5d-4b01-89a8-b705bd7d10ab
 3related:
 4    - id: c31364f7-8be6-4b77-8483-dd2b5a7b69a3
 5      type: similar
 6status: test
 7description: Detects powershell scripts that import modules from suspicious directories
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022-07-07
12modified: 2023-01-10
13tags:
14    - attack.execution
15    - attack.t1059.001
16logsource:
17    product: windows
18    category: ps_script
19    definition: 'Requirements: Script Block Logging must be enabled'
20detection:
21    selection:
22        ScriptBlockText|contains:
23            - 'Import-Module "$Env:Temp\'
24            - Import-Module '$Env:Temp\
25            - 'Import-Module $Env:Temp\'
26            - 'Import-Module "$Env:Appdata\'
27            - Import-Module '$Env:Appdata\
28            - 'Import-Module $Env:Appdata\'
29            - 'Import-Module C:\Users\Public\'
30            # Import-Module alias is "ipmo"
31            - 'ipmo "$Env:Temp\'
32            - ipmo '$Env:Temp\
33            - 'ipmo $Env:Temp\'
34            - 'ipmo "$Env:Appdata\'
35            - ipmo '$Env:Appdata\
36            - 'ipmo $Env:Appdata\'
37            - 'ipmo C:\Users\Public\'
38    condition: selection
39falsepositives:
40    - Unknown
41level: medium