Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (<code>profile.ps1</code>) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments.
PowerShell supports several profiles depending on the user or host program. For example, there can be different profiles for PowerShell host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer. (Citation: Microsoft About Profiles)
Adversaries may modify these profiles to include arbitrary commands, functions, modules, and/or PowerShell drives to gain persistence. Every time a user opens a PowerShell session the modified script will be executed unless the <code>-NoProfile</code> flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019)
An adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1546.013 | PowerShell Profile | |
| CM-06 | Configuration Settings | mitigates | T1546.013 | PowerShell Profile | |
| IA-09 | Service Identification and Authentication | mitigates | T1546.013 | PowerShell Profile | |
| CM-10 | Software Usage Restrictions | mitigates | T1546.013 | PowerShell Profile | |
| SI-03 | Malicious Code Protection | mitigates | T1546.013 | PowerShell Profile | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1546.013 | PowerShell Profile | |
| CM-02 | Baseline Configuration | mitigates | T1546.013 | PowerShell Profile | |
| SI-04 | System Monitoring | mitigates | T1546.013 | PowerShell Profile | |
| AC-03 | Access Enforcement | mitigates | T1546.013 | PowerShell Profile | |
| AC-06 | Least Privilege | mitigates | T1546.013 | PowerShell Profile |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.vector.Command shell | Remote shell | related-to | T1546.013 | PowerShell Profile | |
| action.malware.vector.Email attachment | Email via user-executed attachment. Child of 'Email' | related-to | T1546.013 | PowerShell Profile | |
| attribute.integrity.variety.Alter behavior | Influence or alter human behavior | related-to | T1546.013 | PowerShell Profile |