Tag
The creation of a DLL file within PowerShell module directories can indicate malicious PowerShell activity, such as installing new modules or attempts at ScriptBlock smuggling, and this activity is detected using Sysmon Event ID 11.