Description
Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (profile.ps1) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments.
PowerShell supports several profiles depending on the user or host program. For example, there can be different profiles for PowerShell host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer. (Citation: Microsoft About Profiles)
Adversaries may modify these profiles to include arbitrary commands, functions, modules, and/or PowerShell drives to gain persistence. Every time a user opens a PowerShell session the modified script will be executed unless the -NoProfile flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019)
An adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)
Platforms
Mitigations (3)
Code SigningM1045
Enforce execution of only signed PowerShell scripts. Sign profiles to avoid them from being modified.
Restrict File and Directory PermissionsM1022
Making PowerShell profiles immutable and only changeable by certain administrators will limit the ability for adversaries to easily create user level persistence.
Software ConfigurationM1054
Avoid PowerShell profiles if not needed. Use the -No Profile flag with when executing PowerShell scripts remotely to prevent local profiles and scripts from being executed.
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) has used PowerShell profiles to maintain persistence on an infected machine.(Citation: ESET Turla Power... |
References
- DeRyke, A.. (2019, June 7). Lab Notes: Persistence and Privilege Elevation using the Powershell Profile. Retrieved July 8, 2019.
- Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
- Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016.
- Microsoft. (2017, November 29). About Profiles. Retrieved June 14, 2019.
- Microsoft. (2021, September 27). about_Profiles. Retrieved February 4, 2022.
Frequently Asked Questions
What is T1546.013 (PowerShell Profile)?
T1546.013 is a MITRE ATT&CK technique named 'PowerShell Profile'. It belongs to the Privilege Escalation, Persistence tactic(s). Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (<code>profile.ps1</code>) is a script that runs when [Po...
How can T1546.013 be detected?
Detection of T1546.013 (PowerShell Profile) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1546.013?
There are 3 documented mitigations for T1546.013. Key mitigations include: Code Signing, Restrict File and Directory Permissions, Software Configuration.
Which threat groups use T1546.013?
Known threat groups using T1546.013 include: Turla.