PowerShell Profile

Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (profile.ps1) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments.

PowerShell supports several profiles depending on the user or host program. For example, there can be different profiles for PowerShell host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer.

Adversaries may modify these profiles to include arbitrary commands, functions, modules and/or PowerShell drives to gain persistence. Every time a user opens a PowerShell sessions the modified script will be executed unless the -NoProfile flag is used when it is launched.

An adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator.

Example:

PowerShell Profile is a PowerShell script which you can customize to your environment and add session specific elements to every PowerShell session that you Start.

It's a script that runs when PowerShell starts. You can use profiles as a logon script to customize the environment. You can add Commands, Functions, Aliases, Modules, etc.

PowerShell supports several profile files. Also, PowerShell host programs can support their own host-specific profiles.

A few Samples:

The PowerShell profile script is stored in the folder “WindowsPowerShel” which is by default is hidden from the user. If a payload has been dropped into disk the “Start-Process” cmdlet can be used to point to the location of the Executable. The “Test-Path” determines if a profile exists for the current user. If the profile doesn’t exist the Command “New-Item -Path $Profile -Type File -Force” will create a profile for the current users and the “Out-File” will rewrite the profile.

First let’s create a Profile:

Then I will add the command I want to be executed when a New PowerShell Session is initiated.

Now every New PowerShell will run my Executable Command and connect back to my Attacking Machine.

Runs every Second

These are just a few demonstrations that I wanted to share they are simple and very easy to follow, If you would love to go more into Detail please do check out the MITRE Framework as it’s a great guide to understand and check out various techniques used by APT’s.