Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Potential Suspicious PowerShell Module File Created

Detects the creation of a new PowerShell module in the first folder of the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". This is somewhat an uncommon practice as legitimate modules often includes a version folder.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Tue May 09e8a52bbd-bced-459f-bd93-64db45ce7657windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        TargetFilename|endswith:
            # Note: Don't include PowerShell 7 as it has default modules that don't follow this logic
            - '\\WindowsPowerShell\\Modules\\*\.ps'
            - '\\WindowsPowerShell\\Modules\\*\.dll'
    condition: selection
False Positives

False positive rate will vary depending on the environments. Additional filters might be required to make this logic usable in production.

References
1
Resolving title…
Internal Research
2
Resolving title…
learn.microsoft.com
MITRE ATT&CK
Rule Metadata
Rule ID
e8a52bbd-bced-459f-bd93-64db45ce7657
Status
test
Level
medium
Type
Detection
Created
Tue May 09
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml
Raw Tags
attack.persistence
View on GitHub