Powershell Profile Persistence

It's possible to use powershell profiles for persistence and/or privilege escalation.

Execution

There are four places you can abuse the powershell profile, depending on the privileges you have:

$PROFILE | select *

Let's add the code to a $profile variable (that expands to the current user's profile file) that will get executed the next time the compromised user launches a powershell console:

attacker@target

echo "whoami > c:\temp\whoami.txt" > $PROFILE
cat $PROFILE

Once the compromised user launches powershell, our code gets executed:

If the user is not using profiles, the technique will stick out immediately due to the "loading personal and system profiles..." message at the top.

References

Event Triggered Execution: PowerShell Profile, Sub-technique T1546.013 - Enterprise | MITRE ATT&CK®

PreviousInstalling Root Certificate NextRID Hijacking

Last updated 5 years ago