Find sigma rule

Attack: Event Triggered Execution: PowerShell Profile

Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (profile.ps1) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments.

PowerShell supports several profiles depending on the user or host program. For example, there can be different profiles for PowerShell host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer. (Citation: Microsoft About Profiles)

Adversaries may modify these profiles to include arbitrary commands, functions, modules, and/or PowerShell drives to gain persistence. Every time a user opens a PowerShell session the modified script will be executed unless the -NoProfile flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019)

An adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)

MITRE

Tactic

privilege-escalation
persistence

technique

T1546.013

Test : Append malicious start-process cmdlet

OS

windows

Description:

Appends a start process cmdlet to the current user’s powershell profile pofile that points to a malicious executable. Upon execution, calc.exe will be launched.

Executor

powershell

Sigma Rule

posh_ps_user_profile_tampering.yml (id: 05b3e303-faf0-4f4a-9b30-46cc13e69152)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test