IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Persistence via PowerShell profile
editPersistence via PowerShell profile
editIdentifies the creation or modification of a PowerShell profile. PowerShell profile is a script that is executed when PowerShell starts to customize the user environment, which can be abused by attackers to persist in a environment where PowerShell is common.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
- endgame-*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Persistence
- Data Source: Elastic Endgame
Version: 4
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editfile where host.os.type == "windows" and event.type != "deletion" and file.path : ("?:\\Users\\*\\Documents\\WindowsPowerShell\\*", "?:\\Users\\*\\Documents\\PowerShell\\*", "?:\\Windows\\System32\\WindowsPowerShell\\*") and file.name : ("profile.ps1", "Microsoft.Powershell_profile.ps1")
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Event Triggered Execution
- ID: T1546
- Reference URL: https://attack.mitre.org/techniques/T1546/
-
Sub-technique:
- Name: PowerShell Profile
- ID: T1546.013
- Reference URL: https://attack.mitre.org/techniques/T1546/013/