← Back to Explore
sigmamediumHunting
Import PowerShell Modules From Suspicious Directories
Detects powershell scripts that import modules from suspicious directories
Detection Query
selection:
ScriptBlockText|contains:
- Import-Module "$Env:Temp\
- Import-Module '$Env:Temp\
- Import-Module $Env:Temp\
- Import-Module "$Env:Appdata\
- Import-Module '$Env:Appdata\
- Import-Module $Env:Appdata\
- Import-Module C:\Users\Public\
- ipmo "$Env:Temp\
- ipmo '$Env:Temp\
- ipmo $Env:Temp\
- ipmo "$Env:Appdata\
- ipmo '$Env:Appdata\
- ipmo $Env:Appdata\
- ipmo C:\Users\Public\
condition: selection
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2022-07-07
Data Sources
windowsps_script
Platforms
windows
Tags
attack.executionattack.t1059.001
Raw Content
title: Import PowerShell Modules From Suspicious Directories
id: 21f9162c-5f5d-4b01-89a8-b705bd7d10ab
related:
- id: c31364f7-8be6-4b77-8483-dd2b5a7b69a3
type: similar
status: test
description: Detects powershell scripts that import modules from suspicious directories
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-07
modified: 2023-01-10
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Import-Module "$Env:Temp\'
- Import-Module '$Env:Temp\
- 'Import-Module $Env:Temp\'
- 'Import-Module "$Env:Appdata\'
- Import-Module '$Env:Appdata\
- 'Import-Module $Env:Appdata\'
- 'Import-Module C:\Users\Public\'
# Import-Module alias is "ipmo"
- 'ipmo "$Env:Temp\'
- ipmo '$Env:Temp\
- 'ipmo $Env:Temp\'
- 'ipmo "$Env:Appdata\'
- ipmo '$Env:Appdata\
- 'ipmo $Env:Appdata\'
- 'ipmo C:\Users\Public\'
condition: selection
falsepositives:
- Unknown
level: medium