Detects the creation of DLLs in Windows PowerShell module directories by monitoring Sysmon EventID 11 (FileCreate). A DLL appearing under WindowsPowerShell\\Modules\\*.dll can indicate a new PowerShell module installation or other module-based activity such as ScriptBlock smuggling. The rule collects file_path, file_name, and file_create_time, and correlates the event with the originating process (process_path, process_guid, process_id) and the user, as well as destination host and vendor product when available. The detection is expressed as a Splunk query and is mapped to the Endpoint data model to enable rapid correlation with other telemetry. It includes drilldowns to inspect results by user and destination and to review risk events and related analytic stories. Implementation requires EDR telemetry that provides complete command lines and process context, ingested via the appropriate Splunk tech add-ons, and normalized through the CIM so data is comparable with other endpoint signals. The RBA indicates: a PowerShell module DLL created at the specified path on the destination, which should trigger a risk alert if the DLL is unexpected or untrusted. True positives may include legitimate module installations; reduce false positives by verifying module sources and approved packages. References cover ScriptBlock Smuggling techniques and related advisories. This rule contributes to detections of Windows PowerShell persistence and module-based abuse (MITRE techniques T1059.001 and T1574).