Adversaries may create PowerShell modules to execute malicious code or establish persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or command and control activities.
Detection Rule
title: PowerShell Module File Created
id: e36941d0-c0f0-443f-bc6f-cb2952eb69ea
status: test
description: Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc.
references:
- Internal Research
- https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-09
tags:
- attack.persistence
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
TargetFilename|contains:
- '\WindowsPowerShell\Modules\'
- '\PowerShell\7\Modules\'
condition: selection
falsepositives:
- Likely
level: low
imFileEvent
| where (TargetFilePath endswith "\\powershell.exe" or TargetFilePath endswith "\\pwsh.exe") and (TargetFileName contains "\\WindowsPowerShell\\Modules\\" or TargetFileName contains "\\PowerShell\\7\\Modules\\")Scenario: A system administrator is using PowerShell ISE to create a new module for internal tooling.
Filter/Exclusion: Check for the presence of PowerShell_ISE.exe in the process name or filter by user account (e.g., Administrators group).
Scenario: A scheduled job is configured to run a legitimate PowerShell script that creates a module file as part of its setup process.
Filter/Exclusion: Filter by the job name or the scheduled task ID, or check for the presence of a known legitimate script path.
Scenario: A Windows Update or Microsoft Intune deployment creates a PowerShell module file during system configuration.
Filter/Exclusion: Check for the presence of Microsoft or Windows in the file path, or filter by the source directory (e.g., C:\Windows\Temp).
Scenario: A third-party application (e.g., Dell Command | Configure, VMware Tools) installs a PowerShell module as part of its installation process.
Filter/Exclusion: Filter by the application name or the installation directory (e.g., C:\Program Files\Dell or C:\Program Files\VMware).
Scenario: A Windows PowerShell profile (e.g., Microsoft.PowerShell_profile.ps1) is being created or modified, which may involve module creation.
Filter/Exclusion: Check for the presence of profile.ps1 in the file path or filter by the user’s home directory (e.g., C:\Users\<username>\Documents).