Import PowerShell Modules From Suspicious Directories - ProcCreation

 1title: Import PowerShell Modules From Suspicious Directories - ProcCreation
 2id: c31364f7-8be6-4b77-8483-dd2b5a7b69a3
 3related:
 4    - id: 21f9162c-5f5d-4b01-89a8-b705bd7d10ab
 5      type: similar
 6status: test
 7description: Detects powershell scripts that import modules from suspicious directories
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-01-10
12tags:
13    - attack.execution
14    - attack.t1059.001
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        CommandLine|contains:
21            - 'Import-Module "$Env:Temp\'
22            - Import-Module '$Env:Temp\
23            - 'Import-Module $Env:Temp\'
24            - 'Import-Module "$Env:Appdata\'
25            - Import-Module '$Env:Appdata\
26            - 'Import-Module $Env:Appdata\'
27            - 'Import-Module C:\Users\Public\'
28            # Import-Module alias is "ipmo"
29            - 'ipmo "$Env:Temp\'
30            - ipmo '$Env:Temp\
31            - 'ipmo $Env:Temp\'
32            - 'ipmo "$Env:Appdata\'
33            - ipmo '$Env:Appdata\
34            - 'ipmo $Env:Appdata\'
35            - 'ipmo C:\Users\Public\'
36    condition: selection
37falsepositives:
38    - Unknown
39level: medium