From 254ec7feb786d21cdec736d5b473973bc63c9138 Mon Sep 17 00:00:00 2001
From: keyboardcrunch <40863898+keyboardcrunch@users.noreply.github.com>
Date: Tue, 15 Sep 2020 17:20:50 -0500
Subject: [PATCH] Added T1546.013

T1546.013 Malicious Process Start Added to Powershell Profile
---
 queries.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/queries.md b/queries.md
index ed82a55..6f1ec2f 100644
--- a/queries.md
+++ b/queries.md
@@ -136,3 +136,12 @@ Detects creation or modification of the file at `C:\program.exe` for exploiting
 ```
 (FileFullName = "C:\program.exe" AND EventType In ("File Creation","File Modification")) OR TgtProcImagePath = "C:\program.exe"
 ```
+
+### T1546.013 Malicious Process Start Added to Powershell Profile
+Atomics: [T1546.013](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md)
+
+Detects the addition of process execution strings (`TgtProcCmdLine In Contains Anycase (list)`)to the powershell profile, through CommandLine and CommandScript indicators.
+
+```
+(SrcProcCmdScript ContainsCIS "Add-Content $profile -Value" AND SrcProcCmdScript ContainsCIS "Start-Process") OR (TgtProcCmdLine ContainsCIS "Add-Content $profile" AND TgtProcCmdLine In Contains Anycase ("Start-Process","& ","cmd.exe /c"))
+```