Detectionmediumtest
PowerShell Profile Modification
Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
HieuTT35, Nasreddine Bencherchali (Nextron Systems)Created Thu Oct 24Updated Mon Oct 23b5b78988-486d-4a80-b991-930eff3ff8bfwindows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event
Events for file system activity including creation, modification, and deletion.
Detection Logic
Detection Logic1 selector
detection:
selection:
TargetFilename|endswith:
- '\Microsoft.PowerShell_profile.ps1'
- '\PowerShell\profile.ps1'
- '\Program Files\PowerShell\7-preview\profile.ps1'
- '\Program Files\PowerShell\7\profile.ps1'
- '\Windows\System32\WindowsPowerShell\v1.0\profile.ps1'
- '\WindowsPowerShell\profile.ps1'
condition: selectionFalse Positives
System administrator creating Powershell profile manually
MITRE ATT&CK
Sub-techniques
Rule Metadata
Rule ID
b5b78988-486d-4a80-b991-930eff3ff8bf
Status
test
Level
medium
Type
Detection
Created
Thu Oct 24
Modified
Mon Oct 23
Path
rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml
Raw Tags
attack.persistenceattack.privilege-escalationattack.t1546.013