Wes LambertDec 4, 2022

🦖Day 74 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Windows[.]Persistence[.]PowershellProfile

Author: @mgreen27

Link: https://docs.velociraptor.app/artifact_references/pages/windows.persistence.powershellprofile/

----

PowerShell supports several profiles depending on the user or host program. Adversaries may create or modify these profiles to include arbitrary commands, functions, modules, and/or PowerShell drives to gain persistence.

----

When a backdoored PowerShell session is opened, the modified script will be executed unless the '-NoProfile' flag is used upon launch.

An adversary may also be able to escalate privileges if a script in a PS profile is loaded and executed by an account with higher privileges, for example, a domain administrator.

----

In the past, Turla has used PowerShell profiles to maintain persistence on an infected machine.

https://attack.mitre.org/groups/G0010
https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/

----

This artifact will search and parse PowerShell profile scripts.

By default, both user and system-wide profiles will be searched. The user can also use regex to target and exclude specific content.

----

Here (image), we can see that the PowerShell profile for the user 'wlambert' specifies that 'Start-Process' should call 'C:\User\Downloads\wlambert\malz.exe'. Again, this would be called every time a PowerShell session is initiated. 👀

----

In this instance, 'malz.exe' is simply a copy of good 'ol calc.exe 😀

----

This profile modification was simulated by running the following commands from a PS session:

- 'Add-Content $profile -Value ""'
- 'Add-Content $profile -value "Start-Process C:\Users\wlambert\Downloads\malz.exe"'

The profile content can be checked with 'Get-Content $profile'.

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

Also, check out the links below for more information about Powershell Profiles!

Atomic Red Team Test:
https://atomicredteam.io/persistence/T1546.013/#atomic-test-1---append-malicious-start-process-cmdlet

MITRE ATT&CK Reference:
https://attack.mitre.org/techniques/T1546/013

#DFIR
#Forensics
#Infosec
#Persistence
#Windows
#T1546
#T1546.013
#ThreatHunting

Windows.Persistence.PowershellProfile :: Velociraptor - Digging deeper!