Techniques
Sample rules
PowerShell Profile Modification
- source: sigma
- technicques:
- t1546
- t1546.013
Description
Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
Detection logic
condition: selection
selection:
TargetFilename|endswith:
- \Microsoft.PowerShell_profile.ps1
- \PowerShell\profile.ps1
- \Program Files\PowerShell\7-preview\profile.ps1
- \Program Files\PowerShell\7\profile.ps1
- \Windows\System32\WindowsPowerShell\v1.0\profile.ps1
- \WindowsPowerShell\profile.ps1