LoFP / legitimate administration and tuning scripts that aim to add functionality to a user powershell session

Techniques

Sample rules

Potential Persistence Via PowerShell User Profile Using Add-Content

source: sigma
technicques:
- t1546
- t1546.013

Description

Detects calls to “Add-Content” cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence

Detection logic

condition: all of selection_*
selection_add:
  ScriptBlockText|contains: Add-Content $profile
selection_options:
  ScriptBlockText|contains:
  - '-Value "IEX '
  - -Value "Invoke-Expression
  - -Value "Invoke-WebRequest
  - -Value "Start-Process
  - '-Value ''IEX '
  - -Value 'Invoke-Expression
  - -Value 'Invoke-WebRequest
  - -Value 'Start-Process