legitimate installation of approved powershell modules may trigger this detection. verify module sources to reduce false positives.

Techniques

Sample rules

Windows PowerShell Module File Created

source: splunk
technicques:
- T1129
- T1059.001
- T1574

Description

Detects the creation of a DLL within the various PowerShell module directories. This can indicate a new module being installed, attempts at ScriptBlock smuggling, or other malicious PowerShell activity utilizing modules. False positives could include installation of legitimate modules.

Detection logic


| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

from datamodel=Endpoint.Filesystem where

Filesystem.action="created"
Filesystem.file_path="*\\WindowsPowerShell\\Modules\\*.dll"
Filesystem.file_name="*.dll"

by Filesystem.dest Filesystem.file_create_time Filesystem.process_path
   Filesystem.process_guid Filesystem.process_id Filesystem.file_path Filesystem.file_name
   Filesystem.user Filesystem.vendor_product Filesystem.action


| `drop_dm_object_name(Filesystem)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_powershell_module_file_created_filter`