system administrator creating powershell profile manually

t1546
t1546.013
windows
sigma

Techniques

t1546
t1546.013

Sample rules

PowerShell Profile Modification

source: sigma
technicques:
- t1546
- t1546.013

Description

Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence

Detection logic

condition: selection
selection:
  TargetFilename|endswith:
  - \Microsoft.PowerShell_profile.ps1
  - \PowerShell\profile.ps1
  - \Program Files\PowerShell\7-preview\profile.ps1
  - \Program Files\PowerShell\7\profile.ps1
  - \Windows\System32\WindowsPowerShell\v1.0\profile.ps1
  - \WindowsPowerShell\profile.ps1