From 0e4cd397efe2561e537fb2434532a3a4e4101f54 Mon Sep 17 00:00:00 2001
From: hieuttmmo <46371125+hieuttmmo@users.noreply.github.com>
Date: Fri, 25 Oct 2019 00:14:21 +0700
Subject: [PATCH] Create new rules for T1502

---
 .../powershell_susp_profile_create.yml        | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 rules/windows/powershell/powershell_susp_profile_create.yml

diff --git a/rules/windows/powershell/powershell_susp_profile_create.yml b/rules/windows/powershell/powershell_susp_profile_create.yml
new file mode 100644
index 000000000..0bf95f4f0
--- /dev/null
+++ b/rules/windows/powershell/powershell_susp_profile_create.yml
@@ -0,0 +1,24 @@
+title: Powershell profile modify
+status: experimental
+description: 'Detects a change in profile.ps1 of Powershell profile'
+references:
+    - 'https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/'
+tags:
+    - attack.persistence
+    - attack.privellege_escalation 
+    - attack.t1502
+author: HieuTT35
+date: 2019/10/24
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 11
+        TargetFilename|re:
+            - '.*\\My Documents\\PowerShell\\(Microsoft\.)?.*(Profile|profile)\.ps1'
+            - 'C\:\\Windows\\System32\\WindowsPowerShell\\v1\.0\\(Microsoft\.)?.*(Profile|profile)\.ps1'
+    condition: selection
+falsepositives:
+    - unknown
+level: high