Suspicious PowerShell Module DLL Creation

The creation of DLL files in PowerShell module directories is a common technique used by attackers to introduce malicious functionality into a system. This activity can be indicative of several malicious behaviors, including the installation of rogue modules, attempts at ScriptBlock smuggling to bypass security controls, or other forms of malicious PowerShell exploitation. The detection focuses on monitoring for the creation of new DLLs within the various PowerShell module directories, which is an unusual event during normal system operation. While legitimate module installations can trigger this alert, the high potential for abuse makes it a critical event to monitor. The detection logic is based on Sysmon Event ID 11.

Attack Chain

1. An attacker gains initial access to the system via phishing or other means.
2. The attacker leverages PowerShell to download a malicious DLL module.
3. The attacker uses PowerShell commands to place the malicious DLL into a PowerShell module directory (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\Modules).
4. Sysmon Event ID 11 logs the creation of the DLL file in the PowerShell module directory.
5. The attacker then imports the module using Import-Module.
6. Once the module is imported, the attacker executes malicious code embedded within the DLL.
7. This allows the attacker to perform actions such as privilege escalation, data exfiltration, or lateral movement.
8. The attacker achieves persistence by modifying PowerShell profiles or using scheduled tasks to automatically load the malicious module on system startup.

Impact

Successful exploitation can lead to a wide range of malicious activities, including persistence, privilege escalation, and data theft. Attackers can use this technique to maintain long-term access to compromised systems and networks. The impact can range from minor data breaches to complete system compromise depending on the attacker’s objectives and the permissions of the compromised user account.

Recommendation

• Enable Sysmon Event ID 11 logging to capture file creation events, as this is the data source for the detections below.
• Deploy the Sigma rule “PowerShell Module DLL Created” to your SIEM and tune for your environment to detect suspicious DLL creation in PowerShell module directories.
• Investigate any alerts generated by the Sigma rule to determine if the DLL creation is legitimate or malicious.
• Monitor PowerShell command-line activity for the use of Import-Module and other module-related commands, as these can indicate module loading and execution.
• Implement application control policies to restrict the execution of unsigned or untrusted DLLs in PowerShell.