Potential Persistence Via PowerShell User Profile Using Add-Content
Detects calls to "Add-Content" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence
Sigma rule (View on GitHub)
1title: Potential Persistence Via PowerShell User Profile Using Add-Content
2id: 05b3e303-faf0-4f4a-9b30-46cc13e69152
3status: test
4description: Detects calls to "Add-Content" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md
7author: frack113, Nasreddine Bencherchali (Nextron Systems)
8date: 2021/08/18
9modified: 2023/05/04
10tags:
11 - attack.persistence
12 - attack.privilege_escalation
13 - attack.t1546.013
14logsource:
15 product: windows
16 category: ps_script
17 definition: 'Requirements: Script Block Logging must be enabled'
18detection:
19 selection_add:
20 ScriptBlockText|contains: 'Add-Content $profile'
21 selection_options:
22 ScriptBlockText|contains:
23 # Note: You can add more suspicious values
24 - '-Value "IEX '
25 - '-Value "Invoke-Expression'
26 - '-Value "Invoke-WebRequest'
27 - '-Value "Start-Process'
28 - "-Value 'IEX "
29 - "-Value 'Invoke-Expression"
30 - "-Value 'Invoke-WebRequest"
31 - "-Value 'Start-Process"
32 condition: all of selection_*
33falsepositives:
34 - Legitimate administration and tuning scripts that aim to add functionality to a user PowerShell session
35level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Remote WMI ActiveScriptEventConsumers
- Failed Logins with Different Accounts from Single Source System
- Failed NTLM Logins with Different Accounts from Single Source System
- Malicious Service Installations
- Sticky Key Like Backdoor Execution