Detectionmediumtest
Potential Persistence Via PowerShell User Profile Using Add-Content
Detects calls to "Add-Content" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
François Hubaut, Nasreddine Bencherchali (Nextron Systems)Created Wed Aug 18Updated Thu May 0405b3e303-faf0-4f4a-9b30-46cc13e69152windows
Log Source
WindowsPowerShell Script
ProductWindows← raw: windows
CategoryPowerShell Script← raw: ps_script
Definition
Requirements: Script Block Logging must be enabled
Detection Logic
Detection Logic2 selectors
detection:
selection_add:
ScriptBlockText|contains: 'Add-Content $profile'
selection_options:
ScriptBlockText|contains:
# Note: You can add more suspicious values
- '-Value "IEX '
- '-Value "Invoke-Expression'
- '-Value "Invoke-WebRequest'
- '-Value "Start-Process'
- "-Value 'IEX "
- "-Value 'Invoke-Expression"
- "-Value 'Invoke-WebRequest"
- "-Value 'Start-Process"
condition: all of selection_*False Positives
Legitimate administration and tuning scripts that aim to add functionality to a user PowerShell session
References
MITRE ATT&CK
Sub-techniques
Rule Metadata
Rule ID
05b3e303-faf0-4f4a-9b30-46cc13e69152
Status
test
Level
medium
Type
Detection
Created
Wed Aug 18
Modified
Thu May 04
Path
rules/windows/powershell/powershell_script/posh_ps_user_profile_tampering.yml
Raw Tags
attack.persistenceattack.privilege-escalationattack.t1546.013