Ctrl+K

T1546.013 - PowerShell Profile

T1546.013 - PowerShell Profile#

Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (profile.ps1) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments.

PowerShell supports several profiles depending on the user or host program. For example, there can be different profiles for PowerShell host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer. (Citation: Microsoft About Profiles)

Adversaries may modify these profiles to include arbitrary commands, functions, modules, and/or PowerShell drives to gain persistence. Every time a user opens a PowerShell session the modified script will be executed unless the -NoProfile flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019)

An adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)

Atomic Tests#

Atomic Test #1 - Append malicious start-process cmdlet#

Appends a start process cmdlet to the current user’s powershell profile pofile that points to a malicious executable. Upon execution, calc.exe will be launched.

Supported Platforms: windows

Dependencies: Run with powershell!#

Description: Ensure a powershell profile exists for the current user#
Check Prereq Commands:#
if (Test-Path $profile) {exit 0} else {exit 1}
Get Prereq Commands:#
New-Item -Path $profile -Type File -Force

Invoke-AtomicTest T1546.013 -TestNumbers 1 -GetPreReqs

Attack Commands: Run with powershell#

Add-Content $profile -Value ""
Add-Content $profile -Value "Start-Process calc.exe"
powershell -Command exit

Invoke-AtomicTest T1546.013 -TestNumbers 1

Cleanup:#

$oldprofile = cat $profile | Select-Object -skiplast 1
Set-Content $profile -Value $oldprofile

Invoke-AtomicTest T1546.013 -TestNumbers 1 -Cleanup

Detection#

Locations where profile.ps1 can be stored should be monitored for new profiles or modifications. (Citation: Malware Archaeology PowerShell Cheat Sheet)(Citation: Microsoft Profiles) Example profile locations (user defaults as well as program-specific) include:

  • $PsHome\Profile.ps1

  • $PsHome\Microsoft.{HostProgram}_profile.ps1

  • $Home\[My ]Documents\PowerShell\Profile.ps1

  • $Home\[My ]Documents\PowerShell\Microsoft.{HostProgram}_profile.ps1

Monitor abnormal PowerShell commands, unusual loading of PowerShell drives or modules, and/or execution of unknown programs.

Contents