Techniques
Sample rules
Potential Suspicious PowerShell Module File Created
- source: sigma
- technicques:
Description
Detects the creation of a new PowerShell module in the first folder of the module directory structure “\WindowsPowerShell\Modules\malware\malware.psm1”. This is somewhat an uncommon practice as legitimate modules often includes a version folder.
Detection logic
condition: selection
selection:
TargetFilename|endswith:
- \\WindowsPowerShell\\Modules\\*\.ps
- \\WindowsPowerShell\\Modules\\*\.dll