Technique on mitre.org

T1546.013: PowerShell Profile

Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (profile.ps1) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments.

PowerShell supports several profiles depending on the user or host program. For example, there can be different profiles for PowerShell host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer.

Adversaries may modify these profiles to include arbitrary commands, functions, modules, and/or PowerShell drives to gain persistence. Every time a user opens a PowerShell session the modified script will be executed unless the -NoProfile flag is used when it is launched.

An adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_lateral_movement: PT-CR-225: Creation_Suspicious_File: Creation of a potentially malicious file is detected mitre_attck_lateral_movement: PT-CR-1373: Remote_Creation_Suspicious_File: Remote creation of a potentially malicious file is detected

Detection

ID	DS0022	Data source and component	File: File Creation	Description	Locations where `profile.ps1` can be stored should be monitored for new profiles. Example profile locations include: `$PsHome\Profile.ps1` `$PsHome\Microsoft.{HostProgram}_profile.ps1` `$Home\My Documents\PowerShell\Profile.ps1` `$Home\My Documents\PowerShell\Microsoft.{HostProgram}_profile.ps1`

ID	DS0022	Data source and component	File: File Modification	Description	Locations where `profile.ps1` can be stored should be monitored for modifications. Example profile locations include: `$PsHome\Profile.ps1` `$PsHome\Microsoft.{HostProgram}_profile.ps1` `$Home\My Documents\PowerShell\Profile.ps1` `$Home\My Documents\PowerShell\Microsoft.{HostProgram}_profile.ps1`

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor newly executed processes that may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles.

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor abnormal PowerShell commands, unusual loading of PowerShell drives or modules.

ID	Data source and component	Description
DS0022	File: File Creation	Locations where `profile.ps1` can be stored should be monitored for new profiles. Example profile locations include: `$PsHome\Profile.ps1` `$PsHome\Microsoft.{HostProgram}_profile.ps1` `$Home\My Documents\PowerShell\Profile.ps1` `$Home\My Documents\PowerShell\Microsoft.{HostProgram}_profile.ps1`
DS0022	File: File Modification	Locations where `profile.ps1` can be stored should be monitored for modifications. Example profile locations include: `$PsHome\Profile.ps1` `$PsHome\Microsoft.{HostProgram}_profile.ps1` `$Home\My Documents\PowerShell\Profile.ps1` `$Home\My Documents\PowerShell\Microsoft.{HostProgram}_profile.ps1`
DS0009	Process: Process Creation	Monitor newly executed processes that may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles.
DS0017	Command: Command Execution	Monitor abnormal PowerShell commands, unusual loading of PowerShell drives or modules.

Mitigation

ID	M1045	Name	Code Signing	Description	Enforce execution of only signed PowerShell scripts. Sign profiles to avoid them from being modified.

ID	M1022	Name	Restrict File and Directory Permissions	Description	Making PowerShell profiles immutable and only changeable by certain administrators will limit the ability for adversaries to easily create user level persistence.

ID	M1054	Name	Software Configuration	Description	Avoid PowerShell profiles if not needed. Use the -No Profile flag with when executing PowerShell scripts remotely to prevent local profiles and scripts from being executed.

ID	Name	Description
M1045	Code Signing	Enforce execution of only signed PowerShell scripts. Sign profiles to avoid them from being modified.
M1022	Restrict File and Directory Permissions	Making PowerShell profiles immutable and only changeable by certain administrators will limit the ability for adversaries to easily create user level persistence.
M1054	Software Configuration	Avoid PowerShell profiles if not needed. Use the -No Profile flag with when executing PowerShell scripts remotely to prevent local profiles and scripts from being executed.