From f10b2deee0864062b4c50c8bfe9ce3896d1e9fc9 Mon Sep 17 00:00:00 2001
From: Zafer Balkan <zafer@zaferbalkan.com>
Date: Tue, 5 Nov 2024 11:58:09 +0200
Subject: [PATCH 1/3] Create include_powershell_profiles.xml

Added PowerShell profile paths for "T1546.013 Event Triggered Execution: PowerShell Profile" detection
---
 .../include_powershell_profiles.xml           | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 11_file_create/include_powershell_profiles.xml

diff --git a/11_file_create/include_powershell_profiles.xml b/11_file_create/include_powershell_profiles.xml
new file mode 100644
index 00000000..f7c9a6fe
--- /dev/null
+++ b/11_file_create/include_powershell_profiles.xml
@@ -0,0 +1,23 @@
+<Sysmon schemaversion="4.30">
+    <EventFiltering>
+        <RuleGroup name="" groupRelation="or">
+            <FileCreate onmatch="include">
+                <Rule name="technique_id=T1546.013,technique_name=Event Triggered Execution: PowerShell Profile" groupRelation="or"> <!-- PowerShell Profile Rule for T1546.013 -->
+                    <!-- PowerShell 5.1 [ More information: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-5.1] -->
+                    <TargetFilename condition="is">C:\Users\;\Documents\WindowsPowerShell\Profile.ps1</TargetFilename>
+                    <TargetFilename condition="is">C:\Users\;\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1</TargetFilename>
+                    <TargetFilename condition="is">C:\Windows\System32\WindowsPowerShell\v1.0\Profile.ps1</TargetFilename>
+                    <TargetFilename condition="is">C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Profile.ps1</TargetFilename>
+                    <TargetFilename condition="is">C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1</TargetFilename>
+                    <TargetFilename condition="is">C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1</TargetFilename>
+
+                    <!-- PowerShell 7 [ More information: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.4] -->
+                    <TargetFilename condition="is">C:\Program Files\PowerShell\7\Profile.ps1</TargetFilename>
+                    <TargetFilename condition="is">C:\Program Files\PowerShell\7\Microsoft.PowerShell_profile.ps1</TargetFilename>
+                    <TargetFilename condition="is">C:\Users\;\Documents\PowerShell\Profile.ps1</TargetFilename>
+                    <TargetFilename condition="is">C:\Users\;\Documents\PowerShell\Microsoft.PowerShell_profile.ps1</TargetFilename>
+                </Rule>
+            </FileCreate>
+        </RuleGroup>
+    </EventFiltering>
+</Sysmon>

From 3cb8f5c3381f06912d22ae975580f6589b639452 Mon Sep 17 00:00:00 2001
From: Zafer Balkan <zafer@zaferbalkan.com>
Date: Tue, 5 Nov 2024 22:26:07 +0200
Subject: [PATCH 2/3] Updated metadata

---
 0_custom_configuration/all_modules.txt        | Bin 38454 -> 38550 bytes
 .../mde_covered_modules.txt                   | Bin 22932 -> 23028 bytes
 attack_matrix/Sysmon-modular.json             |  16 ++++++++++++++++
 3 files changed, 16 insertions(+)

diff --git a/0_custom_configuration/all_modules.txt b/0_custom_configuration/all_modules.txt
index 350b396461c80e9089149c5530ffb106ab614243..a32da81c6f47ae89ee207df8b6126f8bf260d11d 100644
GIT binary patch
delta 24
gcmdnChH2VbrVUC)tOX234EdAoqa-&!Fbqop0B>vv#{d8T

delta 22
ecmbQXmTB7>rVUC)ldnX|OnzXfxA~0Gsbm0h?Fu>o

diff --git a/0_custom_configuration/mde_covered_modules.txt b/0_custom_configuration/mde_covered_modules.txt
index c19b2b6d90f8b535e6ccb4a8a2f5ac394aa48b84..2f6433cc033f662263c60cded1d3a04971e5d801 100644
GIT binary patch
delta 28
kcmbQTneoeJ#tlmpSPK}681g4i6nC9$pdhw+iNXg90HX&A(*OVf

delta 14
WcmeyenQ_Wy#tlmpHnS*xumAuwvIb=U

diff --git a/attack_matrix/Sysmon-modular.json b/attack_matrix/Sysmon-modular.json
index 969e604a..a44ca3fa 100644
--- a/attack_matrix/Sysmon-modular.json
+++ b/attack_matrix/Sysmon-modular.json
@@ -1105,6 +1105,22 @@
 			"comment": "",
 			"enabled": true,
 			"metadata": []
+		},
+		{
+			"techniqueID": "T1546.013",
+			"tactic": "persistence",
+			"color": "#fd8d3c",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1546.013",
+			"tactic": "privilege-escalation",
+			"color": "#fd8d3c",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
 		}
 	],
 	"gradient": {

From 785c4fa71fbee61856c3fdad1e0ed2c28f670f8e Mon Sep 17 00:00:00 2001
From: Zafer Balkan <zafer@zaferbalkan.com>
Date: Tue, 5 Nov 2024 22:36:47 +0200
Subject: [PATCH 3/3] Replaced `is` with `end with` for performance reasons

---
 .../include_powershell_profiles.xml           | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/11_file_create/include_powershell_profiles.xml b/11_file_create/include_powershell_profiles.xml
index f7c9a6fe..2778ca1d 100644
--- a/11_file_create/include_powershell_profiles.xml
+++ b/11_file_create/include_powershell_profiles.xml
@@ -4,18 +4,18 @@
             <FileCreate onmatch="include">
                 <Rule name="technique_id=T1546.013,technique_name=Event Triggered Execution: PowerShell Profile" groupRelation="or"> <!-- PowerShell Profile Rule for T1546.013 -->
                     <!-- PowerShell 5.1 [ More information: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-5.1] -->
-                    <TargetFilename condition="is">C:\Users\;\Documents\WindowsPowerShell\Profile.ps1</TargetFilename>
-                    <TargetFilename condition="is">C:\Users\;\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1</TargetFilename>
-                    <TargetFilename condition="is">C:\Windows\System32\WindowsPowerShell\v1.0\Profile.ps1</TargetFilename>
-                    <TargetFilename condition="is">C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Profile.ps1</TargetFilename>
-                    <TargetFilename condition="is">C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1</TargetFilename>
-                    <TargetFilename condition="is">C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1</TargetFilename>
+                    <TargetFilename condition="end with">\Documents\WindowsPowerShell\Profile.ps1</TargetFilename>
+                    <TargetFilename condition="end with">\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1</TargetFilename>
+                    <TargetFilename condition="end with">C:\Windows\System32\WindowsPowerShell\v1.0\Profile.ps1</TargetFilename>
+                    <TargetFilename condition="end with">C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Profile.ps1</TargetFilename>
+                    <TargetFilename condition="end with">C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1</TargetFilename>
+                    <TargetFilename condition="end with">C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1</TargetFilename>
 
                     <!-- PowerShell 7 [ More information: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.4] -->
-                    <TargetFilename condition="is">C:\Program Files\PowerShell\7\Profile.ps1</TargetFilename>
-                    <TargetFilename condition="is">C:\Program Files\PowerShell\7\Microsoft.PowerShell_profile.ps1</TargetFilename>
-                    <TargetFilename condition="is">C:\Users\;\Documents\PowerShell\Profile.ps1</TargetFilename>
-                    <TargetFilename condition="is">C:\Users\;\Documents\PowerShell\Microsoft.PowerShell_profile.ps1</TargetFilename>
+                    <TargetFilename condition="end with">\Documents\PowerShell\Profile.ps1</TargetFilename>
+                    <TargetFilename condition="end with">\Documents\PowerShell\Microsoft.PowerShell_profile.ps1</TargetFilename>
+                    <TargetFilename condition="end with">C:\Program Files\PowerShell\7\Profile.ps1</TargetFilename>
+                    <TargetFilename condition="end with">C:\Program Files\PowerShell\7\Microsoft.PowerShell_profile.ps1</TargetFilename>
                 </Rule>
             </FileCreate>
         </RuleGroup>