Query all users for their Powershell Profile content for Powershell, Powershell_ISE, and VS Code

AID2201232312.YAML

#####aid_begin
#description: file scan - query all users for their powershell profile content for powershell, powershell_ise, and visual studio code
#id: aid2201231648
#processtype: query
#category: filesandfolders
#sourcelink: <na>
#tacticidlist: <na>
#techniqueidlist: <na>
#compatibleos: |-
#  windows 7
#  windows 8.*
#  windows 10
#  windows 11
#  windows server 2008 r2
#  windows server 2012
#  windows server 2012 r2
#  windows server 2016
#  windows server 2019
#compatibleengine: |-
#  powershell 2
#  powershell 3
#  powershell 4
#  powershell 5.*
#  powershell 7.*
#bgcommandlist: |-
#  get-bgfilestreams
#notes: |-
#  this query will automatically determine all local user profiles and capture their powershell profile content for powershell, powershell_ise, and visual studio code
#####aid_end
commands:
- Get-BluGenieFileStreams -Path $(Get-BluGenieChildItemList -Path "AllUsers\Documents" -Pattern "Microsoft.*profile.*ps1$" -Recurse -ReturnObject | Select-Object -ExpandProperty FullName) -ShowAllStreamValues

PreviousQuery Malicious file types from any directory not including the default OS and Install directories NextQuery to Determine if any lolbin files are installed outside the normal OS and Program Files dir's

Last updated 3 years ago