Event Triggered Execution: PowerShell Profile
Other sub-techniques of Event Triggered Execution (16)
Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (profile.ps1) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments.
PowerShell supports several profiles depending on the user or host program. For example, there can be different profiles for PowerShell host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer. (Citation: Microsoft About Profiles)
Adversaries may modify these profiles to include arbitrary commands, functions, modules, and/or PowerShell drives to gain persistence. Every time a user opens a PowerShell session the modified script will be executed unless the -NoProfile flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019)
An adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)
Procedure Examples |
|
| Name | Description |
|---|---|
| Turla |
Turla has used PowerShell profiles to maintain persistence on an infected machine.(Citation: ESET Turla PowerShell May 2019) |
Mitigations |
|
| Mitigation | Description |
|---|---|
| Code Signing |
Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing. |
| Restrict File and Directory Permissions |
Restrict access by setting directory and file permissions that are not specific to users or privileged accounts. |
| Software Configuration |
Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates. |
Detection
Locations where profile.ps1 can be stored should be monitored for new profiles or modifications. (Citation: Malware Archaeology PowerShell Cheat Sheet)(Citation: Microsoft Profiles) Example profile locations (user defaults as well as program-specific) include:
* $PsHome\Profile.ps1
* $PsHome\Microsoft.{HostProgram}_profile.ps1
* $Home\\\[My ]Documents\PowerShell\Profile.ps1
* $Home\\\[My ]Documents\PowerShell\Microsoft.{HostProgram}_profile.ps1
Monitor abnormal PowerShell commands, unusual loading of PowerShell drives or modules, and/or execution of unknown programs.
References
- Microsoft. (2021, September 27). about_Profiles. Retrieved February 4, 2022.
- Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016.
- DeRyke, A.. (2019, June 7). Lab Notes: Persistence and Privilege Elevation using the Powershell Profile. Retrieved July 8, 2019.
- Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
- Microsoft. (2017, November 29). About Profiles. Retrieved June 14, 2019.
Связанные риски
| Риск | Связи | |
|---|---|---|
|
Закрепление злоумышленника в ОС из-за
возможности использования профилей PowerShell в ОС Windows
Повышение привилегий
НСД
|
|
|
|
Повышение привилегий в ОС из-за
возможности использования профилей PowerShell в ОС Windows
Повышение привилегий
Целостность
|
|
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.