Esc
PowerShell Profile - T1546.013

(ATT&CK® Technique)
Definition

Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (profile.ps1) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1546013["PowerShell Profile"] --> |modifies| PowerShellProfileScript["PowerShell Profile Script"]; class T1546013 OffensiveTechniqueNode;
        class PowerShellProfileScript ArtifactNode; click PowerShellProfileScript href "/dao/artifact/d3f:PowerShellProfileScript";
        click T1546013 href "/offensive-technique/attack/T1546.013/"; click PowerShellProfileScript href "/dao/artifact/d3f:PowerShellProfileScript";             ExecutableAllowlisting["Executable Allowlisting"] -->
          | blocks | PowerShellProfileScript["PowerShell Profile Script"];

          ExecutableAllowlisting["Executable Allowlisting"] -.->
            | may-isolate | T1546013["PowerShell Profile"] ;
          class ExecutableAllowlisting DefensiveTechniqueNode;
          class PowerShellProfileScript ArtifactNode;
          click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
          | blocks | PowerShellProfileScript["PowerShell Profile Script"];

          ExecutableDenylisting["Executable Denylisting"] -.->
            | may-isolate | T1546013["PowerShell Profile"] ;
          class ExecutableDenylisting DefensiveTechniqueNode;
          class PowerShellProfileScript ArtifactNode;
          click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; RestoreFile["Restore File"] -->
          | restores | PowerShellProfileScript["PowerShell Profile Script"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1546013["PowerShell Profile"] ;
          class RestoreFile DefensiveTechniqueNode;
          class PowerShellProfileScript ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile";                                        LocalFilePermissions["Local File Permissions"] -->
          | restricts | PowerShellProfileScript["PowerShell Profile Script"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-harden | T1546013["PowerShell Profile"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class PowerShellProfileScript ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; FileEncryption["File Encryption"] -->
          | encrypts | PowerShellProfileScript["PowerShell Profile Script"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1546013["PowerShell Profile"] ;
          class FileEncryption DefensiveTechniqueNode;
          class PowerShellProfileScript ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption"; DecoyFile["Decoy File"] -->
          | spoofs | PowerShellProfileScript["PowerShell Profile Script"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1546013["PowerShell Profile"] ;
          class DecoyFile DefensiveTechniqueNode;
          class PowerShellProfileScript ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile";                                      FileEviction["File Eviction"] -->
          | deletes | PowerShellProfileScript["PowerShell Profile Script"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1546013["PowerShell Profile"] ;
          class FileEviction DefensiveTechniqueNode;
          class PowerShellProfileScript ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction";              FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | PowerShellProfileScript["PowerShell Profile Script"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1546013["PowerShell Profile"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class PowerShellProfileScript ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring";              DynamicAnalysis["Dynamic Analysis"] -->
          | analyzes | PowerShellProfileScript["PowerShell Profile Script"];

          DynamicAnalysis["Dynamic Analysis"] -.->
            | may-detect | T1546013["PowerShell Profile"] ;
          class DynamicAnalysis DefensiveTechniqueNode;
          class PowerShellProfileScript ArtifactNode;
          click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
          | analyzes | PowerShellProfileScript["PowerShell Profile Script"];

          EmulatedFileAnalysis["Emulated File Analysis"] -.->
            | may-detect | T1546013["PowerShell Profile"] ;
          class EmulatedFileAnalysis DefensiveTechniqueNode;
          class PowerShellProfileScript ArtifactNode;
          click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis";                             FileAnalysis["File Analysis"] -->
          | analyzes | PowerShellProfileScript["PowerShell Profile Script"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1546013["PowerShell Profile"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class PowerShellProfileScript ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis";
json