Import PowerShell Modules From Suspicious Directories
Detects powershell scripts that import modules from suspicious directories
Sigma rule (View on GitHub)
1title: Import PowerShell Modules From Suspicious Directories
2id: 21f9162c-5f5d-4b01-89a8-b705bd7d10ab
3related:
4 - id: c31364f7-8be6-4b77-8483-dd2b5a7b69a3
5 type: similar
6status: test
7description: Detects powershell scripts that import modules from suspicious directories
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022/07/07
12modified: 2023/01/10
13tags:
14 - attack.execution
15 - attack.t1059.001
16logsource:
17 product: windows
18 category: ps_script
19 definition: 'Requirements: Script Block Logging must be enabled'
20detection:
21 selection:
22 ScriptBlockText|contains:
23 - 'Import-Module "$Env:Temp\'
24 - Import-Module '$Env:Temp\
25 - 'Import-Module $Env:Temp\'
26 - 'Import-Module "$Env:Appdata\'
27 - Import-Module '$Env:Appdata\
28 - 'Import-Module $Env:Appdata\'
29 - 'Import-Module C:\Users\Public\'
30 # Import-Module alias is "ipmo"
31 - 'ipmo "$Env:Temp\'
32 - ipmo '$Env:Temp\
33 - 'ipmo $Env:Temp\'
34 - 'ipmo "$Env:Appdata\'
35 - ipmo '$Env:Appdata\
36 - 'ipmo $Env:Appdata\'
37 - 'ipmo C:\Users\Public\'
38 condition: selection
39falsepositives:
40 - Unknown
41level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Import PowerShell Modules From Suspicious Directories - ProcCreation
- Malicious Nishang PowerShell Commandlets
- Potential Persistence Via Powershell Search Order Hijacking - Task
- Potential PowerShell Obfuscation Using Alias Cmdlets
- Potential PowerShell Obfuscation Using Character Join