From 275eaa9f59e454050585fd3d67ea826e4e7734d2 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Sat, 16 Nov 2019 00:22:19 +0000
Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 atomics/T1504/T1504.md           |  47 +++++++
 atomics/art_navigator_layer.json |   2 +-
 atomics/index.md                 |   6 +-
 atomics/index.yaml               | 210 +++++++++++++++++++++++++++++++
 atomics/matrix.md                |   4 +-
 atomics/windows-index.md         |   6 +-
 atomics/windows-matrix.md        |   4 +-
 7 files changed, 270 insertions(+), 9 deletions(-)
 create mode 100644 atomics/T1504/T1504.md

diff --git a/atomics/T1504/T1504.md b/atomics/T1504/T1504.md
new file mode 100644
index 00000000..a03bc920
--- /dev/null
+++ b/atomics/T1504/T1504.md
@@ -0,0 +1,47 @@
+# T1504 - PowerShell Profile
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1504)
+<blockquote>Adversaries may gain persistence and elevate privileges in certain situations by abusing [PowerShell](https://attack.mitre.org/techniques/T1086) profiles. A PowerShell profile  (<code>profile.ps1</code>) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments. PowerShell supports several profiles depending on the user or host program. For example, there can be different profiles for PowerShell host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer. (Citation: Microsoft About Profiles) 
+
+Adversaries may modify these profiles to include arbitrary commands, functions, modules, and/or PowerShell drives to gain persistence. Every time a user opens a PowerShell session the modified script will be executed unless the <code>-NoProfile</code> flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019) 
+
+An adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Append malicious start-process cmdlet](#atomic-test-1---append-malicious-start-process-cmdlet)
+
+
+<br/>
+
+## Atomic Test #1 - Append malicious start-process cmdlet
+Appends a start process cmdlet to the current user's powershell profile pofile that points to a malicious executable
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| exe_path | Path the malicious executable | Path | calc.exe|
+| ps_profile | Powershell profile to use | String | $profile|
+
+#### Run it with `powershell`! 
+```
+if(Test-Path #{ps_profile}){
+}
+else{
+  New-Item -Path #{ps_profile} -Type File -Force
+}
+$malicious = "Start-Process #{exe_path}"
+Add-Content #{ps_profile} -Value $malicious
+powershell -command exit
+```
+
+
+#### Cleanup Commands:
+```
+$oldprofile = cat $profile | Select-Object -skiplast 1
+Set-Content $profile -Value $oldprofile
+```
+
+<br/>
diff --git a/atomics/art_navigator_layer.json b/atomics/art_navigator_layer.json
index f7ff9ace..244005af 100644
--- a/atomics/art_navigator_layer.json
+++ b/atomics/art_navigator_layer.json
@@ -1 +1 @@
-{"version":"2.2","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1002","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1004","score":100,"enabled":true},{"techniqueID":"T1005","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1009","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1015","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1022","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1028","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1031","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1035","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1038","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1042","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1050","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1060","score":100,"enabled":true},{"techniqueID":"T1062","score":100,"enabled":true},{"techniqueID":"T1063","score":100,"enabled":true},{"techniqueID":"T1064","score":100,"enabled":true},{"techniqueID":"T1065","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1075","score":100,"enabled":true},{"techniqueID":"T1076","score":100,"enabled":true},{"techniqueID":"T1077","score":100,"enabled":true},{"techniqueID":"T1081","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1084","score":100,"enabled":true},{"techniqueID":"T1085","score":100,"enabled":true},{"techniqueID":"T1086","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1088","score":100,"enabled":true},{"techniqueID":"T1089","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1096","score":100,"enabled":true},{"techniqueID":"T1097","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1099","score":100,"enabled":true},{"techniqueID":"T1100","score":100,"enabled":true},{"techniqueID":"T1101","score":100,"enabled":true},{"techniqueID":"T1103","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1107","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1117","score":100,"enabled":true},{"techniqueID":"T1118","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1121","score":100,"enabled":true},{"techniqueID":"T1122","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1126","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1128","score":100,"enabled":true},{"techniqueID":"T1130","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1138","score":100,"enabled":true},{"techniqueID":"T1139","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1141","score":100,"enabled":true},{"techniqueID":"T1142","score":100,"enabled":true},{"techniqueID":"T1144","score":100,"enabled":true},{"techniqueID":"T1145","score":100,"enabled":true},{"techniqueID":"T1146","score":100,"enabled":true},{"techniqueID":"T1147","score":100,"enabled":true},{"techniqueID":"T1148","score":100,"enabled":true},{"techniqueID":"T1150","score":100,"enabled":true},{"techniqueID":"T1151","score":100,"enabled":true},{"techniqueID":"T1152","score":100,"enabled":true},{"techniqueID":"T1153","score":100,"enabled":true},{"techniqueID":"T1154","score":100,"enabled":true},{"techniqueID":"T1155","score":100,"enabled":true},{"techniqueID":"T1156","score":100,"enabled":true},{"techniqueID":"T1158","score":100,"enabled":true},{"techniqueID":"T1159","score":100,"enabled":true},{"techniqueID":"T1160","score":100,"enabled":true},{"techniqueID":"T1163","score":100,"enabled":true},{"techniqueID":"T1164","score":100,"enabled":true},{"techniqueID":"T1165","score":100,"enabled":true},{"techniqueID":"T1166","score":100,"enabled":true},{"techniqueID":"T1168","score":100,"enabled":true},{"techniqueID":"T1169","score":100,"enabled":true},{"techniqueID":"T1170","score":100,"enabled":true},{"techniqueID":"T1173","score":100,"enabled":true},{"techniqueID":"T1174","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1179","score":100,"enabled":true},{"techniqueID":"T1180","score":100,"enabled":true},{"techniqueID":"T1183","score":100,"enabled":true},{"techniqueID":"T1191","score":100,"enabled":true},{"techniqueID":"T1193","score":100,"enabled":true},{"techniqueID":"T1196","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1206","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1214","score":100,"enabled":true},{"techniqueID":"T1215","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1223","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1501","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true}]}
\ No newline at end of file
+{"version":"2.2","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1002","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1004","score":100,"enabled":true},{"techniqueID":"T1005","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1009","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1015","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1022","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1028","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1031","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1035","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1038","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1042","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1050","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1060","score":100,"enabled":true},{"techniqueID":"T1062","score":100,"enabled":true},{"techniqueID":"T1063","score":100,"enabled":true},{"techniqueID":"T1064","score":100,"enabled":true},{"techniqueID":"T1065","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1075","score":100,"enabled":true},{"techniqueID":"T1076","score":100,"enabled":true},{"techniqueID":"T1077","score":100,"enabled":true},{"techniqueID":"T1081","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1084","score":100,"enabled":true},{"techniqueID":"T1085","score":100,"enabled":true},{"techniqueID":"T1086","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1088","score":100,"enabled":true},{"techniqueID":"T1089","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1096","score":100,"enabled":true},{"techniqueID":"T1097","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1099","score":100,"enabled":true},{"techniqueID":"T1100","score":100,"enabled":true},{"techniqueID":"T1101","score":100,"enabled":true},{"techniqueID":"T1103","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1107","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1117","score":100,"enabled":true},{"techniqueID":"T1118","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1121","score":100,"enabled":true},{"techniqueID":"T1122","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1126","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1128","score":100,"enabled":true},{"techniqueID":"T1130","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1138","score":100,"enabled":true},{"techniqueID":"T1139","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1141","score":100,"enabled":true},{"techniqueID":"T1142","score":100,"enabled":true},{"techniqueID":"T1144","score":100,"enabled":true},{"techniqueID":"T1145","score":100,"enabled":true},{"techniqueID":"T1146","score":100,"enabled":true},{"techniqueID":"T1147","score":100,"enabled":true},{"techniqueID":"T1148","score":100,"enabled":true},{"techniqueID":"T1150","score":100,"enabled":true},{"techniqueID":"T1151","score":100,"enabled":true},{"techniqueID":"T1152","score":100,"enabled":true},{"techniqueID":"T1153","score":100,"enabled":true},{"techniqueID":"T1154","score":100,"enabled":true},{"techniqueID":"T1155","score":100,"enabled":true},{"techniqueID":"T1156","score":100,"enabled":true},{"techniqueID":"T1158","score":100,"enabled":true},{"techniqueID":"T1159","score":100,"enabled":true},{"techniqueID":"T1160","score":100,"enabled":true},{"techniqueID":"T1163","score":100,"enabled":true},{"techniqueID":"T1164","score":100,"enabled":true},{"techniqueID":"T1165","score":100,"enabled":true},{"techniqueID":"T1166","score":100,"enabled":true},{"techniqueID":"T1168","score":100,"enabled":true},{"techniqueID":"T1169","score":100,"enabled":true},{"techniqueID":"T1170","score":100,"enabled":true},{"techniqueID":"T1173","score":100,"enabled":true},{"techniqueID":"T1174","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1179","score":100,"enabled":true},{"techniqueID":"T1180","score":100,"enabled":true},{"techniqueID":"T1183","score":100,"enabled":true},{"techniqueID":"T1191","score":100,"enabled":true},{"techniqueID":"T1193","score":100,"enabled":true},{"techniqueID":"T1196","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1206","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1214","score":100,"enabled":true},{"techniqueID":"T1215","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1223","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1501","score":100,"enabled":true},{"techniqueID":"T1504","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true}]}
\ No newline at end of file
diff --git a/atomics/index.md b/atomics/index.md
index 93770635..4d508566 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -100,7 +100,8 @@
   - Atomic Test #1: Plist Modification [macos]
 - T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1013 Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1504 PowerShell Profile [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1504 PowerShell Profile](./T1504/T1504.md)
+  - Atomic Test #1: Append malicious start-process cmdlet [windows]
 - [T1163 Rc.common](./T1163/T1163.md)
   - Atomic Test #1: rc.common [macos]
 - [T1164 Re-opened Applications](./T1164/T1164.md)
@@ -438,7 +439,8 @@
 - [T1150 Plist Modification](./T1150/T1150.md)
   - Atomic Test #1: Plist Modification [macos]
 - T1013 Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1504 PowerShell Profile [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1504 PowerShell Profile](./T1504/T1504.md)
+  - Atomic Test #1: Append malicious start-process cmdlet [windows]
 - [T1055 Process Injection](./T1055/T1055.md)
   - Atomic Test #1: Process Injection via mavinject.exe [windows]
   - Atomic Test #2: Process Injection via PowerSploit [windows]
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 507dd2f8..800459ee 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -3375,6 +3375,111 @@ persistence:
               ~/Library/Preferences
 
           2. Subsequently, follow the steps for adding and running via [Launch Agent](Persistence/Launch_Agent.md)
+  T1504:
+    technique:
+      x_mitre_data_sources:
+      - Process monitoring
+      - File monitoring
+      - PowerShell logs
+      x_mitre_permissions_required:
+      - User
+      - Administrator
+      name: PowerShell Profile
+      description: "Adversaries may gain persistence and elevate privileges in certain
+        situations by abusing [PowerShell](https://attack.mitre.org/techniques/T1086)
+        profiles. A PowerShell profile  (<code>profile.ps1</code>) is a script that
+        runs when PowerShell starts and can be used as a logon script to customize
+        user environments. PowerShell supports several profiles depending on the user
+        or host program. For example, there can be different profiles for PowerShell
+        host programs such as the PowerShell console, PowerShell ISE or Visual Studio
+        Code. An administrator can also configure a profile that applies to all users
+        and host programs on the local computer. (Citation: Microsoft About Profiles)
+        \n\nAdversaries may modify these profiles to include arbitrary commands, functions,
+        modules, and/or PowerShell drives to gain persistence. Every time a user opens
+        a PowerShell session the modified script will be executed unless the <code>-NoProfile</code>
+        flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019)
+        \n\nAn adversary may also be able to escalate privileges if a script in a
+        PowerShell profile is loaded and executed by an account with higher privileges,
+        such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)"
+      id: attack-pattern--723e3a2b-ca0d-4daa-ada8-82ea35d3733a
+      x_mitre_platforms:
+      - Windows
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_version: '1.0'
+      type: attack-pattern
+      x_mitre_detection: |-
+        Locations where <code>profile.ps1</code> can be stored should be monitored for new profiles or modifications. (Citation: Malware Archaeology PowerShell Cheat Sheet) Example profile locations include:
+
+        * <code>$PsHome\Profile.ps1</code>
+        * <code>$PsHome\Microsoft.{HostProgram}_profile.ps1</code>
+        * <code>$Home\My Documents\PowerShell\Profile.ps1</code>
+        * <code>$Home\My Documents\PowerShell\Microsoft.{HostProgram}_profile.ps1</code>
+
+        Monitor abnormal PowerShell commands, unusual loading of PowerShell drives or modules, and/or execution of unknown programs.
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_contributors:
+      - Allen DeRyke, ICE
+      created: '2019-06-14T18:53:49.472Z'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      external_references:
+      - source_name: mitre-attack
+        external_id: T1504
+        url: https://attack.mitre.org/techniques/T1504
+      - description: Microsoft. (2017, November 29). About Profiles. Retrieved June
+          14, 2019.
+        source_name: Microsoft About Profiles
+        url: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-6
+      - description: Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell
+          usage. Retrieved June 14, 2019.
+        source_name: ESET Turla PowerShell May 2019
+        url: https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
+      - description: 'DeRyke, A.. (2019, June 7). Lab Notes: Persistence and Privilege
+          Elevation using the Powershell Profile. Retrieved July 8, 2019.'
+        source_name: Wits End and Shady PowerShell Profiles
+        url: https://witsendandshady.blogspot.com/2019/06/lab-notes-persistence-and-privilege.html
+      - source_name: Malware Archaeology PowerShell Cheat Sheet
+        description: Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING
+          CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016.
+        url: http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf
+      modified: '2019-07-19T14:46:24.213Z'
+      identifier: T1504
+    atomic_tests:
+    - name: Append malicious start-process cmdlet
+      description: 'Appends a start process cmdlet to the current user''s powershell
+        profile pofile that points to a malicious executable
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        exe_path:
+          description: Path the malicious executable
+          type: Path
+          default: calc.exe
+        ps_profile:
+          description: Powershell profile to use
+          type: String
+          default: "$profile"
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          if(Test-Path #{ps_profile}){
+          }
+          else{
+            New-Item -Path #{ps_profile} -Type File -Force
+          }
+          $malicious = "Start-Process #{exe_path}"
+          Add-Content #{ps_profile} -Value $malicious
+          powershell -command exit
+        cleanup_command: |-
+          $oldprofile = cat $profile | Select-Object -skiplast 1
+          Set-Content $profile -Value $oldprofile
   T1163:
     technique:
       x_mitre_permissions_required:
@@ -12887,6 +12992,111 @@ privilege-escalation:
               ~/Library/Preferences
 
           2. Subsequently, follow the steps for adding and running via [Launch Agent](Persistence/Launch_Agent.md)
+  T1504:
+    technique:
+      x_mitre_data_sources:
+      - Process monitoring
+      - File monitoring
+      - PowerShell logs
+      x_mitre_permissions_required:
+      - User
+      - Administrator
+      name: PowerShell Profile
+      description: "Adversaries may gain persistence and elevate privileges in certain
+        situations by abusing [PowerShell](https://attack.mitre.org/techniques/T1086)
+        profiles. A PowerShell profile  (<code>profile.ps1</code>) is a script that
+        runs when PowerShell starts and can be used as a logon script to customize
+        user environments. PowerShell supports several profiles depending on the user
+        or host program. For example, there can be different profiles for PowerShell
+        host programs such as the PowerShell console, PowerShell ISE or Visual Studio
+        Code. An administrator can also configure a profile that applies to all users
+        and host programs on the local computer. (Citation: Microsoft About Profiles)
+        \n\nAdversaries may modify these profiles to include arbitrary commands, functions,
+        modules, and/or PowerShell drives to gain persistence. Every time a user opens
+        a PowerShell session the modified script will be executed unless the <code>-NoProfile</code>
+        flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019)
+        \n\nAn adversary may also be able to escalate privileges if a script in a
+        PowerShell profile is loaded and executed by an account with higher privileges,
+        such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)"
+      id: attack-pattern--723e3a2b-ca0d-4daa-ada8-82ea35d3733a
+      x_mitre_platforms:
+      - Windows
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_version: '1.0'
+      type: attack-pattern
+      x_mitre_detection: |-
+        Locations where <code>profile.ps1</code> can be stored should be monitored for new profiles or modifications. (Citation: Malware Archaeology PowerShell Cheat Sheet) Example profile locations include:
+
+        * <code>$PsHome\Profile.ps1</code>
+        * <code>$PsHome\Microsoft.{HostProgram}_profile.ps1</code>
+        * <code>$Home\My Documents\PowerShell\Profile.ps1</code>
+        * <code>$Home\My Documents\PowerShell\Microsoft.{HostProgram}_profile.ps1</code>
+
+        Monitor abnormal PowerShell commands, unusual loading of PowerShell drives or modules, and/or execution of unknown programs.
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_contributors:
+      - Allen DeRyke, ICE
+      created: '2019-06-14T18:53:49.472Z'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
+      - kill_chain_name: mitre-attack
+        phase_name: privilege-escalation
+      external_references:
+      - source_name: mitre-attack
+        external_id: T1504
+        url: https://attack.mitre.org/techniques/T1504
+      - description: Microsoft. (2017, November 29). About Profiles. Retrieved June
+          14, 2019.
+        source_name: Microsoft About Profiles
+        url: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-6
+      - description: Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell
+          usage. Retrieved June 14, 2019.
+        source_name: ESET Turla PowerShell May 2019
+        url: https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
+      - description: 'DeRyke, A.. (2019, June 7). Lab Notes: Persistence and Privilege
+          Elevation using the Powershell Profile. Retrieved July 8, 2019.'
+        source_name: Wits End and Shady PowerShell Profiles
+        url: https://witsendandshady.blogspot.com/2019/06/lab-notes-persistence-and-privilege.html
+      - source_name: Malware Archaeology PowerShell Cheat Sheet
+        description: Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING
+          CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016.
+        url: http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf
+      modified: '2019-07-19T14:46:24.213Z'
+      identifier: T1504
+    atomic_tests:
+    - name: Append malicious start-process cmdlet
+      description: 'Appends a start process cmdlet to the current user''s powershell
+        profile pofile that points to a malicious executable
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        exe_path:
+          description: Path the malicious executable
+          type: Path
+          default: calc.exe
+        ps_profile:
+          description: Powershell profile to use
+          type: String
+          default: "$profile"
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          if(Test-Path #{ps_profile}){
+          }
+          else{
+            New-Item -Path #{ps_profile} -Type File -Force
+          }
+          $malicious = "Start-Process #{exe_path}"
+          Add-Content #{ps_profile} -Value $malicious
+          powershell -command exit
+        cleanup_command: |-
+          $oldprofile = cat $profile | Select-Object -skiplast 1
+          Set-Content $profile -Value $oldprofile
   T1055:
     technique:
       x_mitre_permissions_required:
diff --git a/atomics/matrix.md b/atomics/matrix.md
index 31a1ca5d..ad048189 100644
--- a/atomics/matrix.md
+++ b/atomics/matrix.md
@@ -22,7 +22,7 @@
 |  | [Regsvr32](./T1117/T1117.md) | File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disabling Security Tools](./T1089/T1089.md) | [Private Keys](./T1145/T1145.md) | [System Information Discovery](./T1082/T1082.md) | [Windows Admin Shares](./T1077/T1077.md) |  |  | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Rundll32](./T1085/T1085.md) | [Hidden Files and Directories](./T1158/T1158.md) | [Plist Modification](./T1150/T1150.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](./T1016/T1016.md) | [Windows Remote Management](./T1028/T1028.md) |  |  | Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Scheduled Task](./T1053/T1053.md) | [Hooking](./T1179/T1179.md) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](./T1049/T1049.md) |  |  |  | [Uncommonly Used Port](./T1065/T1065.md) |
-|  | [Scripting](./T1064/T1064.md) | [Hypervisor](./T1062/T1062.md) | PowerShell Profile [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](./T1033/T1033.md) |  |  |  | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | [Scripting](./T1064/T1064.md) | [Hypervisor](./T1062/T1062.md) | [PowerShell Profile](./T1504/T1504.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](./T1033/T1033.md) |  |  |  | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Service Execution](./T1035/T1035.md) | [Image File Execution Options Injection](./T1183/T1183.md) | [Process Injection](./T1055/T1055.md) | [File Deletion](./T1107/T1107.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Service Discovery](./T1007/T1007.md) |  |  |  |  |
 |  | [Signed Binary Proxy Execution](./T1218/T1218.md) | Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [System Time Discovery](./T1124/T1124.md) |  |  |  |  |
 |  | [Signed Script Proxy Execution](./T1216/T1216.md) | [Kernel Modules and Extensions](./T1215/T1215.md) | [Scheduled Task](./T1053/T1053.md) | [File and Directory Permissions Modification](./T1222/T1222.md) |  | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |
@@ -42,7 +42,7 @@
 |  |  | [Plist Modification](./T1150/T1150.md) |  | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
 |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Launchctl](./T1152/T1152.md) |  |  |  |  |  |  |
 |  |  | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Masquerading](./T1036/T1036.md) |  |  |  |  |  |  |
-|  |  | PowerShell Profile [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Modify Registry](./T1112/T1112.md) |  |  |  |  |  |  |
+|  |  | [PowerShell Profile](./T1504/T1504.md) |  | [Modify Registry](./T1112/T1112.md) |  |  |  |  |  |  |
 |  |  | [Rc.common](./T1163/T1163.md) |  | [Mshta](./T1170/T1170.md) |  |  |  |  |  |  |
 |  |  | [Re-opened Applications](./T1164/T1164.md) |  | [NTFS File Attributes](./T1096/T1096.md) |  |  |  |  |  |  |
 |  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Network Share Connection Removal](./T1126/T1126.md) |  |  |  |  |  |  |
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index ac96fd10..527af882 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -211,7 +211,8 @@
 - T1502 Parent PID Spoofing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1034 Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1013 Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1504 PowerShell Profile [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1504 PowerShell Profile](./T1504/T1504.md)
+  - Atomic Test #1: Append malicious start-process cmdlet [windows]
 - [T1055 Process Injection](./T1055/T1055.md)
   - Atomic Test #1: Process Injection via mavinject.exe [windows]
   - Atomic Test #2: Process Injection via PowerSploit [windows]
@@ -293,7 +294,8 @@
   - Atomic Test #1: DDEAUTO [windows]
 - T1034 Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1013 Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1504 PowerShell Profile [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1504 PowerShell Profile](./T1504/T1504.md)
+  - Atomic Test #1: Append malicious start-process cmdlet [windows]
 - T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1060 Registry Run Keys / Startup Folder](./T1060/T1060.md)
   - Atomic Test #1: Reg Key Run [windows]
diff --git a/atomics/windows-matrix.md b/atomics/windows-matrix.md
index cf9a520f..c1a656f4 100644
--- a/atomics/windows-matrix.md
+++ b/atomics/windows-matrix.md
@@ -17,7 +17,7 @@
 |  | [PowerShell](./T1086/T1086.md) | [DLL Search Order Hijacking](./T1038/T1038.md) | Parent PID Spoofing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](./T1038/T1038.md) | [Network Sniffing](./T1040/T1040.md) | [Remote System Discovery](./T1018/T1018.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Regsvcs/Regasm](./T1121/T1121.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DLL Side-Loading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Filter DLL](./T1174/T1174.md) | [Security Software Discovery](./T1063/T1063.md) | [Windows Admin Shares](./T1077/T1077.md) |  |  | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Regsvr32](./T1117/T1117.md) | File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](./T1140/T1140.md) | [Private Keys](./T1145/T1145.md) | [Software Discovery](./T1518/T1518.md) | [Windows Remote Management](./T1028/T1028.md) |  |  | [Remote File Copy](./T1105/T1105.md) |
-|  | [Rundll32](./T1085/T1085.md) | [Hidden Files and Directories](./T1158/T1158.md) | PowerShell Profile [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disabling Security Tools](./T1089/T1089.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](./T1082/T1082.md) |  |  |  | [Standard Application Layer Protocol](./T1071/T1071.md) |
+|  | [Rundll32](./T1085/T1085.md) | [Hidden Files and Directories](./T1158/T1158.md) | [PowerShell Profile](./T1504/T1504.md) | [Disabling Security Tools](./T1089/T1089.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](./T1082/T1082.md) |  |  |  | [Standard Application Layer Protocol](./T1071/T1071.md) |
 |  | [Scheduled Task](./T1053/T1053.md) | [Hooking](./T1179/T1179.md) | [Process Injection](./T1055/T1055.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](./T1016/T1016.md) |  |  |  | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Scripting](./T1064/T1064.md) | [Hypervisor](./T1062/T1062.md) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [System Network Connections Discovery](./T1049/T1049.md) |  |  |  | Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Service Execution](./T1035/T1035.md) | [Image File Execution Options Injection](./T1183/T1183.md) | [Scheduled Task](./T1053/T1053.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [System Owner/User Discovery](./T1033/T1033.md) |  |  |  | [Uncommonly Used Port](./T1065/T1065.md) |
@@ -29,7 +29,7 @@
 |  | [Windows Management Instrumentation](./T1047/T1047.md) | [Office Application Startup](./T1137/T1137.md) |  | Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
 |  | [Windows Remote Management](./T1028/T1028.md) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Image File Execution Options Injection](./T1183/T1183.md) |  |  |  |  |  |  |
 |  | [XSL Script Processing](./T1220/T1220.md) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  | PowerShell Profile [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
+|  |  | [PowerShell Profile](./T1504/T1504.md) |  | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
 |  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Indicator Removal on Host](./T1070/T1070.md) |  |  |  |  |  |  |
 |  |  | [Registry Run Keys / Startup Folder](./T1060/T1060.md) |  | [Indirect Command Execution](./T1202/T1202.md) |  |  |  |  |  |  |
 |  |  | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Install Root Certificate](./T1130/T1130.md) |  |  |  |  |  |  |