legitimate use of the profile by developers or administrators

t1546
t1546.013
windows
sigma

Techniques

t1546
t1546.013

Sample rules

VsCode Powershell Profile Modification

source: sigma
technicques:
- t1546
- t1546.013

Description

Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence

Detection logic

condition: selection
selection:
  TargetFilename|endswith: \Microsoft.VSCode_profile.ps1