Detectionmediumtest

Import PowerShell Modules From Suspicious Directories - ProcCreation

Detects powershell scripts that import modules from suspicious directories

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Tue Jan 10c31364f7-8be6-4b77-8483-dd2b5a7b69a3windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        CommandLine|contains:
            - 'Import-Module "$Env:Temp\'
            - Import-Module '$Env:Temp\
            - 'Import-Module $Env:Temp\'
            - 'Import-Module "$Env:Appdata\'
            - Import-Module '$Env:Appdata\
            - 'Import-Module $Env:Appdata\'
            - 'Import-Module C:\Users\Public\'
            # Import-Module alias is "ipmo"
            - 'ipmo "$Env:Temp\'
            - ipmo '$Env:Temp\
            - 'ipmo $Env:Temp\'
            - 'ipmo "$Env:Appdata\'
            - ipmo '$Env:Appdata\
            - 'ipmo $Env:Appdata\'
            - 'ipmo C:\Users\Public\'
    condition: selection