rules/windows/powershell/powershell_suspicious_profile_create.yml

title: Powershell Profile.ps1 Modification
id: b5b78988-486d-4a80-b991-930eff3ff8bf
status: experimental
description: Detects a change in profile.ps1 of the Powershell profile
references:
    - https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
author: HieuTT35
date: 2019/10/24
modified: 2020/08/24
logsource:
    product: windows
    category: file_event
detection:
    target1:
        TargetFilename|contains|all: 
            - '\My Documents\PowerShell\'
            - '\profile.ps1'
    target2:
        TargetFilename|contains|all: 
            - 'C:\Windows\System32\WindowsPowerShell\v1.0\'
            - '\profile.ps1'
    condition: target1 or target2
falsepositives:
    - System administrator create Powershell profile manually
level: high
tags:
    - attack.persistence
    - attack.privilege_escalation
    - attack.t1546.013
Update powershell_suspicious_profile_create.yml 2020-04-03 09:36:17 +02:00			`title: Powershell Profile.ps1 Modification`
			`id: b5b78988-486d-4a80-b991-930eff3ff8bf`
Create new rules for T1502 2019-10-25 00:14:21 +07:00			`status: experimental`
Update powershell_suspicious_profile_create.yml 2020-04-03 09:36:17 +02:00			`description: Detects a change in profile.ps1 of the Powershell profile`
Create new rules for T1502 2019-10-25 00:14:21 +07:00			`references:`
convention 2019-10-25 11:00:05 +07:00			`- https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/`
Create new rules for T1502 2019-10-25 00:14:21 +07:00			`author: HieuTT35`
			`date: 2019/10/24`
att&ck tags review: windows/powershell, windows/process_access, windows/network_connection 2020-08-24 23:31:26 +00:00			`modified: 2020/08/24`
Create new rules for T1502 2019-10-25 00:14:21 +07:00			`logsource:`
			`product: windows`
- Cleaned up some more rules where 'service: sysmon' was combined with category 2020-10-02 10:45:29 +02:00			`category: file_event`
Create new rules for T1502 2019-10-25 00:14:21 +07:00			`detection:`
Update powershell_suspicious_profile_create.yml 2019-10-25 10:53:21 +07:00			`target1:`
Update powershell_suspicious_profile_create.yml 2020-04-03 09:36:17 +02:00			`TargetFilename\|contains\|all:`
			`- '\My Documents\PowerShell\'`
			`- '\profile.ps1'`
Update powershell_suspicious_profile_create.yml 2019-10-25 10:53:21 +07:00			`target2:`
Update powershell_suspicious_profile_create.yml 2020-04-03 09:36:17 +02:00			`TargetFilename\|contains\|all:`
			`- 'C:\Windows\System32\WindowsPowerShell\v1.0\'`
			`- '\profile.ps1'`
- Cleaned up some more rules where 'service: sysmon' was combined with category 2020-10-02 10:45:29 +02:00			`condition: target1 or target2`
Create new rules for T1502 2019-10-25 00:14:21 +07:00			`falsepositives:`
convention 2019-10-25 11:00:05 +07:00			`- System administrator create Powershell profile manually`
Create new rules for T1502 2019-10-25 00:14:21 +07:00			`level: high`
Update powershell_suspicious_profile_create.yml 2019-10-25 10:53:21 +07:00			`tags:`
			`- attack.persistence`
			`- attack.privilege_escalation`
windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-24 00:01:50 +00:00			`- attack.t1546.013`