test_scratch
/
cti-ATT-CK-v13.1
/enterprise-attack
/attack-pattern
/attack-pattern--0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3.json
{ | |
"type": "bundle", | |
"id": "bundle--c1d820fe-5d2c-4486-ae92-d32faf2fefd2", | |
"spec_version": "2.0", | |
"objects": [ | |
{ | |
"x_mitre_platforms": [ | |
"Windows" | |
], | |
"x_mitre_domains": [ | |
"enterprise-attack" | |
], | |
"x_mitre_contributors": [ | |
"Matthew Green", | |
"Allen DeRyke, ICE" | |
], | |
"object_marking_refs": [ | |
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" | |
], | |
"id": "attack-pattern--0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", | |
"type": "attack-pattern", | |
"created": "2020-01-24T15:11:02.758Z", | |
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", | |
"external_references": [ | |
{ | |
"source_name": "mitre-attack", | |
"external_id": "T1546.013", | |
"url": "https://attack.mitre.org/techniques/T1546/013" | |
}, | |
{ | |
"source_name": "Microsoft About Profiles", | |
"url": "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-6", | |
"description": "Microsoft. (2017, November 29). About Profiles. Retrieved June 14, 2019." | |
}, | |
{ | |
"source_name": "ESET Turla PowerShell May 2019", | |
"url": "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", | |
"description": "Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019." | |
}, | |
{ | |
"source_name": "Wits End and Shady PowerShell Profiles", | |
"url": "https://witsendandshady.blogspot.com/2019/06/lab-notes-persistence-and-privilege.html", | |
"description": "DeRyke, A.. (2019, June 7). Lab Notes: Persistence and Privilege Elevation using the Powershell Profile. Retrieved July 8, 2019." | |
}, | |
{ | |
"url": "http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf", | |
"description": "Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016.", | |
"source_name": "Malware Archaeology PowerShell Cheat Sheet" | |
}, | |
{ | |
"source_name": "Microsoft Profiles", | |
"url": "https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_profiles", | |
"description": "Microsoft. (2021, September 27). about_Profiles. Retrieved February 4, 2022." | |
} | |
], | |
"modified": "2022-02-08T16:39:08.851Z", | |
"name": "PowerShell Profile", | |
"description": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (<code>profile.ps1</code>) is a script that runs when [PowerShell](https://attack.mitre.org/techniques/T1059/001) starts and can be used as a logon script to customize user environments.\n\n[PowerShell](https://attack.mitre.org/techniques/T1059/001) supports several profiles depending on the user or host program. For example, there can be different profiles for [PowerShell](https://attack.mitre.org/techniques/T1059/001) host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer. (Citation: Microsoft About Profiles) \n\nAdversaries may modify these profiles to include arbitrary commands, functions, modules, and/or [PowerShell](https://attack.mitre.org/techniques/T1059/001) drives to gain persistence. Every time a user opens a [PowerShell](https://attack.mitre.org/techniques/T1059/001) session the modified script will be executed unless the <code>-NoProfile</code> flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019) \n\nAn adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)", | |
"kill_chain_phases": [ | |
{ | |
"kill_chain_name": "mitre-attack", | |
"phase_name": "privilege-escalation" | |
}, | |
{ | |
"kill_chain_name": "mitre-attack", | |
"phase_name": "persistence" | |
} | |
], | |
"x_mitre_detection": "Locations where <code>profile.ps1</code> can be stored should be monitored for new profiles or modifications. (Citation: Malware Archaeology PowerShell Cheat Sheet)(Citation: Microsoft Profiles) Example profile locations (user defaults as well as program-specific) include:\n\n* <code>$PsHome\\Profile.ps1</code>\n* <code>$PsHome\\Microsoft.{HostProgram}_profile.ps1</code>\n* <code>$Home\\\\\\[My ]Documents\\PowerShell\\Profile.ps1</code>\n* <code>$Home\\\\\\[My ]Documents\\PowerShell\\Microsoft.{HostProgram}_profile.ps1</code>\n\nMonitor abnormal PowerShell commands, unusual loading of PowerShell drives or modules, and/or execution of unknown programs.", | |
"x_mitre_is_subtechnique": true, | |
"x_mitre_version": "1.1", | |
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", | |
"x_mitre_data_sources": [ | |
"File: File Creation", | |
"Command: Command Execution", | |
"File: File Modification", | |
"Process: Process Creation" | |
], | |
"x_mitre_permissions_required": [ | |
"User", | |
"Administrator" | |
] | |
} | |
] | |
} |