Greetings, fellow learners! Today, we’re going to explore a captivating subject: How to achieve Prolonged Persistence using PowerShell Profile Scripts. I’ve got one of my interesting topic for you today, “Prolonged Adversarial Persistence.” So, if you’re ready, let’s dive right in.
To provide some clarity, we can refer to it as “Event-Triggered Execution,” an event that is invoked each time a command is executed. Groups like Turla, also known as Snake, employed PowerShell scripts for direct, in-memory loading and execution of malicious executables and libraries. This approach enabled them to bypass detection mechanisms that typically trigger when a malicious executable is saved to disk.
PowerShell offers the flexibility to create various profiles tailored to individual users and host programs. Creating a PowerShell profile is a common practice among those who work extensively with PowerShell. It enables users to customize their environment, including configurations, functions, modules, and more, and to execute specific commands when a PowerShell session starts. Users also leverage profiles for automatically mapping network drives or shared resources.
Breaking down the term “Profile,” it’s essentially an automatic variable, namely $PROFILE, used to store the paths to the PowerShell profiles available in the current session. Remember that the script within these profiles is executed each time a user logs on. As mentioned earlier, different profiles exist for different users and hosts. Consequently, there are distinct paths for various profile types:
Profile Paths for Different Profile Types:
All Users, All Hosts
Windows - $PSHOME\Profile.ps1
Linux - /opt/Microsoft/powershell/7/profile.ps1
macOS - /usr/local/Microsoft/powershell/7/profile.ps1
All Users, Current Host
Windows - $PSHOME\Microsoft.PowerShell_profile.ps1
Linux - /opt/Microsoft/powershell/7/Microsoft.PowerShell_profile.ps1
macOS - /usr/local/microsoft/powershell/7/Microsoft.PowerShell_profile.ps1
Current User, All Hosts
Windows - $HOME\Documents\PowerShell\Profile.ps1
Linux - ~/.config/PowerShell/profile.ps1
macOS - ~/.config/PowerShell/profile.ps1
Current user, Current Host
Windows - $HOME\Documents\PowerShell\Microsoft.PowerShell_profile.ps1
Linux - ~/.config/PowerShell/Microsoft.PowerShell_profile.ps1
macOS - ~/.config/PowerShell/Microsoft.PowerShell_profile.ps1
Now, let’s delve into the steps required to implement this technique:
Check the current Profile Path:
View the Profile path:
Verify if a profile already exists:
Test-Path -Path $PROFILE
This command should return either True or False as a response.
If the profile doesn’t exist, don’t worry. Here’s how you can create a new profile for the current user:
New-Item -ItemType File -Path $PROFILE -Force
Edit it with your preferred text editor, and your payload will execute on every login.
You can even utilize this technique with Metasploit. For instance, here’s an example of requesting PowerShell to execute a malicious .exe payload generated using Metasploit for reverse TCP: