Create include_powershell_profiles.xml

Added PowerShell profile paths for "T1546.013 Event Triggered Execution: PowerShell Profile" detection
olafhartong · Nov 5, 2024 · f10b2de · f10b2de
1 parent a9ff298
commit f10b2de
Showing 1 changed file with 23 additions and 0 deletions.
diff --git a/11_file_create/include_powershell_profiles.xml b/11_file_create/include_powershell_profiles.xml
@@ -0,0 +1,23 @@
+<Sysmon schemaversion="4.30">
+    <EventFiltering>
+        <RuleGroup name="" groupRelation="or">
+            <FileCreate onmatch="include">
+                <Rule name="technique_id=T1546.013,technique_name=Event Triggered Execution: PowerShell Profile" groupRelation="or"> <!-- PowerShell Profile Rule for T1546.013 -->
+                    <!-- PowerShell 5.1 [ More information: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-5.1] -->
+                    <TargetFilename condition="is">C:\Users\;\Documents\WindowsPowerShell\Profile.ps1</TargetFilename>
+                    <TargetFilename condition="is">C:\Users\;\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1</TargetFilename>
+                    <TargetFilename condition="is">C:\Windows\System32\WindowsPowerShell\v1.0\Profile.ps1</TargetFilename>
+                    <TargetFilename condition="is">C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Profile.ps1</TargetFilename>
+                    <TargetFilename condition="is">C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1</TargetFilename>
+                    <TargetFilename condition="is">C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1</TargetFilename>
+
+                    <!-- PowerShell 7 [ More information: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.4] -->
+                    <TargetFilename condition="is">C:\Program Files\PowerShell\7\Profile.ps1</TargetFilename>
+                    <TargetFilename condition="is">C:\Program Files\PowerShell\7\Microsoft.PowerShell_profile.ps1</TargetFilename>
+                    <TargetFilename condition="is">C:\Users\;\Documents\PowerShell\Profile.ps1</TargetFilename>
+                    <TargetFilename condition="is">C:\Users\;\Documents\PowerShell\Microsoft.PowerShell_profile.ps1</TargetFilename>
+                </Rule>
+            </FileCreate>
+        </RuleGroup>
+    </EventFiltering>
+</Sysmon>