T1546.013: PowerShell Profile
Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (profile.ps1
) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments.
PowerShell supports several profiles depending on the user or host program. For example, there can be different profiles for PowerShell host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer.
Adversaries may modify these profiles to include arbitrary commands, functions, modules, and/or PowerShell drives to gain persistence. Every time a user opens a PowerShell session the modified script will be executed unless the -NoProfile
flag is used when it is launched.
An adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
— Monitoring of events related to creation (ID 11 in Sysmon) and modification of files profile.ps1 at locations $PsHome\Profile.ps1, $PsHome\Microsoft.{HostProgram}_profile.ps1, $Home\My Documents\PowerShell\Profile.ps1, and $Home\My Documents\PowerShell\Microsoft.{HostProgram}_profile.ps1. File paths may end with the following: \Microsoft.PowerShell_profile.ps1, \WindowsPowerShell\profile.ps1, \PowerShell\profile.ps1, \Windows\System32\WindowsPowerShell\v1.0\profile.ps1. \Program Files\PowerShell\7\profile.ps1 — Monitoring of execution of PowerShell commands (event IDs 4103 and 4104) containing the 'Add-Content $profile' string and one of the following: -Value "IEX; -Value "Invoke-Expression; -Value "Invoke-WebRequest; -Value "Start-Process; -Value 'IEX -Value 'Invoke-Expression'; -Value 'Invoke-WebRequest'; -Value 'Start-Process'
Expert Required. The technique is detected only with the combination of «PT Product + Expert»
Detection
ID | DS0022 | Data source and component | File: File Modification | Description | Locations where
|
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor abnormal PowerShell commands, unusual loading of PowerShell drives or modules. |
---|
ID | DS0022 | Data source and component | File: File Creation | Description | Locations where
|
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor newly executed processes that may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. |
---|
Mitigation
ID | M1054 | Name | Software Configuration | Description | Avoid PowerShell profiles if not needed. Use the -No Profile flag with when executing PowerShell scripts remotely to prevent local profiles and scripts from being executed. |
---|
ID | M1045 | Name | Code Signing | Description | Enforce execution of only signed PowerShell scripts. Sign profiles to avoid them from being modified. |
---|
ID | M1022 | Name | Restrict File and Directory Permissions | Description | Making PowerShell profiles immutable and only changeable by certain administrators will limit the ability for adversaries to easily create user level persistence. |
---|