Skip to content

Hide Navigation Hide TOC

Potential Persistence Via PowerShell User Profile Using Add-Content (05b3e303-faf0-4f4a-9b30-46cc13e69152)

Detects calls to "Add-Content" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence

Cluster A Galaxy A Cluster B Galaxy B Level
Potential Persistence Via PowerShell User Profile Using Add-Content (05b3e303-faf0-4f4a-9b30-46cc13e69152) Sigma-Rules PowerShell Profile - T1546.013 (0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3) Attack Pattern 1
PowerShell Profile - T1546.013 (0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2