> For the complete documentation index, see [llms.txt](https://www.ired.team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.ired.team/offensive-security/persistence/powershell-profile-persistence.md).

# Powershell Profile Persistence

It's possible to use powershell profiles for persistence and/or privilege escalation.

## Execution

There are four places you can abuse the powershell profile, depending on the privileges you have:

```csharp
$PROFILE | select *
```

![](/files/-LsxdF_BjpR3m7AqxhWj)

Let's add the code to a `$profile` variable (that expands to the current user's profile file) that will get executed the next time the compromised user launches a powershell console:

{% code title="attacker\@target" %}

```csharp
echo "whoami > c:\temp\whoami.txt" > $PROFILE
cat $PROFILE
```

{% endcode %}

![](/files/-Lsxb-yXAHbywrB71vFI)

Once the compromised user launches powershell, our code gets executed:

![](/files/-LsxbCPHx-CvgCFVo9WS)

{% hint style="warning" %}
If the user is not using profiles, the technique will stick out immediately due to the "loading personal and system profiles..." message at the top.
{% endhint %}

## References

{% embed url="<https://attack.mitre.org/techniques/T1504/>" %}
