# PowerShell Profile Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (profile.ps1) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments. PowerShell supports several profiles depending on the user or host program. For example, there can be different profiles for PowerShell host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer. Adversaries may modify these profiles to include arbitrary commands, functions, modules and/or PowerShell drives to gain persistence. Every time a user opens a PowerShell sessions the modified script will be executed unless the -NoProfile flag is used when it is launched. An adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator. Example: PowerShell Profile is a PowerShell script which you can customize to your environment and add session specific elements to every PowerShell session that you Start. It's a script that runs when PowerShell starts. You can use profiles as a logon script to customize the environment. You can add Commands, Functions, Aliases, Modules, etc. PowerShell supports several profile files. Also, PowerShell host programs can support their own host-specific profiles. A few Samples: ![](https://gblobscdn.gitbook.com/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MRhLdzPhVwvvWhac6Li%2F-MRhNBtWNjl_tPuP4LTc%2Fimage.png?alt=media\&token=f34afe3b-0abf-4cf3-99b7-17fbce2c8128) The PowerShell profile script is stored in the folder **“WindowsPowerShel”** which is by default is hidden from the user. If a payload has been dropped into disk the “**Start-Process**” cmdlet can be used to point to the location of the Executable. The “Test-Path” determines if a profile exists for the current user. If the profile doesn’t exist the Command “**New-Item -Path $Profile -Type File -Force**” will create a profile for the current users and the “**Out-File**” will rewrite the profile. First let’s create a Profile: ![](https://gblobscdn.gitbook.com/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MRhLdzPhVwvvWhac6Li%2F-MRhNCu-bfKiwzqIcBaP%2Fimage.png?alt=media\&token=acbee862-5686-4f92-b1a8-a8391ca47ec2) Then I will add the command I want to be executed when a New PowerShell Session is initiated. ![](https://gblobscdn.gitbook.com/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MRhLdzPhVwvvWhac6Li%2F-MRhNDm5hj9Lx6239mQ9%2Fimage.png?alt=media\&token=ac686555-f685-4ab0-ab8c-97e3ffa81734) Now every New PowerShell will run my Executable Command and connect back to my Attacking Machine. Runs every Second These are just a few demonstrations that I wanted to share they are simple and very easy to follow, If you would love to go more into Detail please do check out the MITRE Framework as it’s a great guide to understand and check out various techniques used by APT’s. ![](https://gblobscdn.gitbook.com/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MRhLdzPhVwvvWhac6Li%2F-MRhNij9sC-MEm7aPcdY%2Fpersistence-penv.gif?alt=media\&token=ef6065ad-2acd-4b58-8474-7c58fda38bf8) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/privilege-escalation/untitled-3/powershell-profile.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.