#####aid_begin
#description: file scan - query all users for their powershell profile content for powershell, powershell_ise, and visual studio code
#id: aid2201231648
#processtype: query
#category: filesandfolders
#sourcelink: <na>
#tacticidlist: <na>
#techniqueidlist: <na>
#compatibleos: |-
#  windows 7
#  windows 8.*
#  windows 10
#  windows 11
#  windows server 2008 r2
#  windows server 2012
#  windows server 2012 r2
#  windows server 2016
#  windows server 2019
#compatibleengine: |-
#  powershell 2
#  powershell 3
#  powershell 4
#  powershell 5.*
#  powershell 7.*
#bgcommandlist: |-
#  get-bgfilestreams
#notes: |-
#  this query will automatically determine all local user profiles and capture their powershell profile content for powershell, powershell_ise, and visual studio code
#####aid_end
commands:
- Get-BluGenieFileStreams -Path $(Get-BluGenieChildItemList -Path "AllUsers\Documents" -Pattern "Microsoft.*profile.*ps1$" -Recurse -ReturnObject | Select-Object -ExpandProperty FullName) -ShowAllStreamValues