A malicious actor may be attempting to establish persistence or execute arbitrary code by creating a PowerShell module through a non-PowerShell process. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential adversarial activity that could lead to lateral movement or command and control operations.
Detection Rule
title: PowerShell Module File Created By Non-PowerShell Process
id: e3845023-ca9a-4024-b2b2-5422156d5527
status: test
description: Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process
references:
- Internal Research
- https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-09
modified: 2025-10-07
tags:
- attack.persistence
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains:
- '\WindowsPowerShell\Modules\'
- '\PowerShell\7\Modules\'
filter_main_pwsh:
Image|endswith:
- ':\Program Files\PowerShell\7-preview\pwsh.exe'
- ':\Program Files\PowerShell\7\pwsh.exe'
- ':\Windows\System32\poqexec.exe' # https://github.com/SigmaHQ/sigma/issues/4448
- ':\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
- ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
- ':\Windows\SysWOW64\poqexec.exe' # https://github.com/SigmaHQ/sigma/issues/4448
- ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
- ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
filter_main_msiexec:
Image:
- 'C:\Windows\System32\msiexec.exe'
- 'C:\Windows\SysWOW64\msiexec.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
imFileEvent
| where (TargetFileName contains "\\WindowsPowerShell\\Modules\\" or TargetFileName contains "\\PowerShell\\7\\Modules\\") and (not(((TargetFilePath endswith ":\\Program Files\\PowerShell\\7-preview\\pwsh.exe" or TargetFilePath endswith ":\\Program Files\\PowerShell\\7\\pwsh.exe" or TargetFilePath endswith ":\\Windows\\System32\\poqexec.exe" or TargetFilePath endswith ":\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe" or TargetFilePath endswith ":\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" or TargetFilePath endswith ":\\Windows\\SysWOW64\\poqexec.exe" or TargetFilePath endswith ":\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell_ise.exe" or TargetFilePath endswith ":\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe") or (TargetFilePath in~ ("C:\\Windows\\System32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe")))))Scenario: A system administrator uses the PowerShell.exe process to deploy a new module via Install-Module or Publish-Module
Filter/Exclusion: Check if the parent process is PowerShell.exe and if the command line contains Install-Module or Publish-Module
Scenario: A scheduled job runs a script that dynamically creates a .psm1 file as part of a configuration deployment
Filter/Exclusion: Exclude files created by scheduled jobs with a known name or path, e.g., C:\ScheduledJobs\config-deploy\*.psm1
Scenario: A third-party tool like Chocolatey or Packer creates a PowerShell module file during package installation
Filter/Exclusion: Exclude files created by processes with names like choco.exe, packer.exe, or msiexec.exe
Scenario: An admin manually creates a .psm1 file using a text editor (e.g., Notepad, VS Code) for custom module development
Filter/Exclusion: Exclude files created by processes like notepad.exe, code.exe, or vim.exe and check for known development directories
Scenario: A legitimate application (e.g., SQL Server Management Studio or Exchange Management Shell) creates a PowerShell module file during setup or configuration
Filter/Exclusion: Exclude files created by processes like ssms.exe, exsetup.exe, or setup.exe and check for known application installation paths