Home
ATT&CK Techniques
T1546.013 PowerShell Profile

T1546.013 PowerShell Profile

Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (<code>profile.ps1</code>) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments.

PowerShell supports several profiles depending on the user or host program. For example, there can be different profiles for PowerShell host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer. (Citation: Microsoft About Profiles)

Adversaries may modify these profiles to include arbitrary commands, functions, modules, and/or PowerShell drives to gain persistence. Every time a user opens a PowerShell session the modified script will be executed unless the <code>-NoProfile</code> flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019)

An adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
DE.CM-09.01	Software and data integrity checking	Mitigates	T1546.013	PowerShell Profile	Comments This diagnostic statement protects against PowerShell Profile through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. References
PR.PS-01.03	Configuration deviation	Mitigates	T1546.013	PowerShell Profile	Comments This diagnostic statement provides protection from Powershell Profile through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. References

NIST 800-53 Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
CA-07	Continuous Monitoring	mitigates	T1546.013	PowerShell Profile
CM-06	Configuration Settings	mitigates	T1546.013	PowerShell Profile
IA-09	Service Identification and Authentication	mitigates	T1546.013	PowerShell Profile
CM-10	Software Usage Restrictions	mitigates	T1546.013	PowerShell Profile
SI-03	Malicious Code Protection	mitigates	T1546.013	PowerShell Profile
SI-07	Software, Firmware, and Information Integrity	mitigates	T1546.013	PowerShell Profile
CM-02	Baseline Configuration	mitigates	T1546.013	PowerShell Profile
SI-04	System Monitoring	mitigates	T1546.013	PowerShell Profile
AC-03	Access Enforcement	mitigates	T1546.013	PowerShell Profile
AC-06	Least Privilege	mitigates	T1546.013	PowerShell Profile

VERIS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
action.hacking.vector.Command shell	Remote shell	related-to	T1546.013	PowerShell Profile
action.malware.vector.Email attachment	Email via user-executed attachment. Child of 'Email'	related-to	T1546.013	PowerShell Profile
attribute.integrity.variety.Alter behavior	Influence or alter human behavior	related-to	T1546.013	PowerShell Profile

Azure Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
file_integrity_monitoring	Microsoft Defender for Cloud: File Integrity Monitoring	technique_scores	T1546.013	PowerShell Profile	Comments This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis. References https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview