home.social

#t1546 — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #t1546, aggregated by home.social.

  1. Wes Lambert @[email protected] ·

    🦖Day 74 of the @velocidex #velociraptor #ArtifactsOfAutumn series

    Artifact: Windows[.]Persistence[.]PowershellProfile

    Author: @mgreen27

    Link: docs.velociraptor.app/artifact

    ----

    PowerShell supports several profiles depending on the user or host program. Adversaries may create or modify these profiles to include arbitrary commands, functions, modules, and/or PowerShell drives to gain persistence.

    ----

    When a backdoored PowerShell session is opened, the modified script will be executed unless the '-NoProfile' flag is used upon launch.

    An adversary may also be able to escalate privileges if a script in a PS profile is loaded and executed by an account with higher privileges, for example, a domain administrator.

    ----

    In the past, Turla has used PowerShell profiles to maintain persistence on an infected machine.

    attack.mitre.org/groups/G0010
    welivesecurity.com/2019/05/29/

    ----

    This artifact will search and parse PowerShell profile scripts.

    By default, both user and system-wide profiles will be searched. The user can also use regex to target and exclude specific content.

    ----

    Here (image), we can see that the PowerShell profile for the user 'wlambert' specifies that 'Start-Process' should call 'C:\User\Downloads\wlambert\malz.exe'. Again, this would be called every time a PowerShell session is initiated. 👀

    ----

    In this instance, 'malz.exe' is simply a copy of good 'ol calc.exe 😀

    ----

    This profile modification was simulated by running the following commands from a PS session:

    - 'Add-Content $profile -Value ""'
    - 'Add-Content $profile -value "Start-Process C:\Users\wlambert\Downloads\malz.exe"'

    The profile content can be checked with 'Get-Content $profile'.

    ----

    That's it for now! Stay tuned to learn about more artifacts! 🦖

    Also, check out the links below for more information about Powershell Profiles!

    Atomic Red Team Test:
    atomicredteam.io/persistence/T

    MITRE ATT&CK Reference:
    attack.mitre.org/techniques/T1

    #DFIR
    #Forensics
    #Infosec
    #Persistence
    #Windows
    #T1546
    #T1546.013
    #ThreatHunting

    #velociraptor #artifactsofautumn #dfir #forensics #infosec #persistence