test_scratch
/
cti-ATT-CK-v13.1
/enterprise-attack
/attack-pattern
/attack-pattern--0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3.json
| { | |
| "type": "bundle", | |
| "id": "bundle--c1d820fe-5d2c-4486-ae92-d32faf2fefd2", | |
| "spec_version": "2.0", | |
| "objects": [ | |
| { | |
| "x_mitre_platforms": [ | |
| "Windows" | |
| ], | |
| "x_mitre_domains": [ | |
| "enterprise-attack" | |
| ], | |
| "x_mitre_contributors": [ | |
| "Matthew Green", | |
| "Allen DeRyke, ICE" | |
| ], | |
| "object_marking_refs": [ | |
| "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" | |
| ], | |
| "id": "attack-pattern--0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", | |
| "type": "attack-pattern", | |
| "created": "2020-01-24T15:11:02.758Z", | |
| "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", | |
| "external_references": [ | |
| { | |
| "source_name": "mitre-attack", | |
| "external_id": "T1546.013", | |
| "url": "https://attack.mitre.org/techniques/T1546/013" | |
| }, | |
| { | |
| "source_name": "Microsoft About Profiles", | |
| "url": "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-6", | |
| "description": "Microsoft. (2017, November 29). About Profiles. Retrieved June 14, 2019." | |
| }, | |
| { | |
| "source_name": "ESET Turla PowerShell May 2019", | |
| "url": "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", | |
| "description": "Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019." | |
| }, | |
| { | |
| "source_name": "Wits End and Shady PowerShell Profiles", | |
| "url": "https://witsendandshady.blogspot.com/2019/06/lab-notes-persistence-and-privilege.html", | |
| "description": "DeRyke, A.. (2019, June 7). Lab Notes: Persistence and Privilege Elevation using the Powershell Profile. Retrieved July 8, 2019." | |
| }, | |
| { | |
| "url": "http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf", | |
| "description": "Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016.", | |
| "source_name": "Malware Archaeology PowerShell Cheat Sheet" | |
| }, | |
| { | |
| "source_name": "Microsoft Profiles", | |
| "url": "https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_profiles", | |
| "description": "Microsoft. (2021, September 27). about_Profiles. Retrieved February 4, 2022." | |
| } | |
| ], | |
| "modified": "2022-02-08T16:39:08.851Z", | |
| "name": "PowerShell Profile", | |
| "description": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (<code>profile.ps1</code>) is a script that runs when [PowerShell](https://attack.mitre.org/techniques/T1059/001) starts and can be used as a logon script to customize user environments.\n\n[PowerShell](https://attack.mitre.org/techniques/T1059/001) supports several profiles depending on the user or host program. For example, there can be different profiles for [PowerShell](https://attack.mitre.org/techniques/T1059/001) host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer. (Citation: Microsoft About Profiles) \n\nAdversaries may modify these profiles to include arbitrary commands, functions, modules, and/or [PowerShell](https://attack.mitre.org/techniques/T1059/001) drives to gain persistence. Every time a user opens a [PowerShell](https://attack.mitre.org/techniques/T1059/001) session the modified script will be executed unless the <code>-NoProfile</code> flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019) \n\nAn adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)", | |
| "kill_chain_phases": [ | |
| { | |
| "kill_chain_name": "mitre-attack", | |
| "phase_name": "privilege-escalation" | |
| }, | |
| { | |
| "kill_chain_name": "mitre-attack", | |
| "phase_name": "persistence" | |
| } | |
| ], | |
| "x_mitre_detection": "Locations where <code>profile.ps1</code> can be stored should be monitored for new profiles or modifications. (Citation: Malware Archaeology PowerShell Cheat Sheet)(Citation: Microsoft Profiles) Example profile locations (user defaults as well as program-specific) include:\n\n* <code>$PsHome\\Profile.ps1</code>\n* <code>$PsHome\\Microsoft.{HostProgram}_profile.ps1</code>\n* <code>$Home\\\\\\[My ]Documents\\PowerShell\\Profile.ps1</code>\n* <code>$Home\\\\\\[My ]Documents\\PowerShell\\Microsoft.{HostProgram}_profile.ps1</code>\n\nMonitor abnormal PowerShell commands, unusual loading of PowerShell drives or modules, and/or execution of unknown programs.", | |
| "x_mitre_is_subtechnique": true, | |
| "x_mitre_version": "1.1", | |
| "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", | |
| "x_mitre_data_sources": [ | |
| "File: File Creation", | |
| "Command: Command Execution", | |
| "File: File Modification", | |
| "Process: Process Creation" | |
| ], | |
| "x_mitre_permissions_required": [ | |
| "User", | |
| "Administrator" | |
| ] | |
| } | |
| ] | |
| } |