PowerShell Profile Modification
Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
Sigma rule (View on GitHub)
1title: PowerShell Profile Modification
2id: b5b78988-486d-4a80-b991-930eff3ff8bf
3status: test
4description: Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
5references:
6 - https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
7 - https://persistence-info.github.io/Data/powershellprofile.html
8author: HieuTT35, Nasreddine Bencherchali (Nextron Systems)
9date: 2019/10/24
10modified: 2023/10/23
11tags:
12 - attack.persistence
13 - attack.privilege_escalation
14 - attack.t1546.013
15logsource:
16 product: windows
17 category: file_event
18detection:
19 selection:
20 TargetFilename|endswith:
21 - '\Microsoft.PowerShell_profile.ps1'
22 - '\PowerShell\profile.ps1'
23 - '\Program Files\PowerShell\7-preview\profile.ps1'
24 - '\Program Files\PowerShell\7\profile.ps1'
25 - '\Windows\System32\WindowsPowerShell\v1.0\profile.ps1'
26 - '\WindowsPowerShell\profile.ps1'
27 condition: selection
28falsepositives:
29 - System administrator creating Powershell profile manually
30level: medium
References
-
ESET researchers show how, in a bid to evade detection, the Turla group leverages PowerShell scripts to inject malware directly into memory.
Read More -
PowerShell Profile Location: $PSHOME\Profile.ps1 $PSHOME\Microsoft.PowerShell_profile.ps1 $Home\[My ]Documents\PowerShell\Profile.ps1 $Home\[My ]Documents\PowerShell\Microsoft.PowerShell_profile.ps...
Read More
Related rules
- Potential Persistence Via PowerShell User Profile Using Add-Content
- Diamond Sleet APT Scheduled Task Creation
- Azure Kubernetes CronJob
- Third Party Software DLL Sideloading
- WMI Persistence