Detect PowerShell Profile in Elastic Security
Adversaries may establish persistence by placing malicious commands into a PowerShell profile. A PowerShell profile script is a script that runs when PowerShell starts and can be used as a logon script to customize user environments. PowerShell supports several profile locations including: $PROFILE (current user, current host), $PROFILE.AllUsersCurrentHost (all users, current host), $PROFILE.CurrentUserAllHosts (current user, all hosts), and $PROFILE.AllUsersAllHosts (all users, all hosts — the most powerful). Malicious profile content executes whenever an interactive PowerShell session is started, providing persistent code execution in the user's context.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.013 PowerShell Profile
- Canonical reference
- https://attack.mitre.org/techniques/T1546/013/
Elastic Detection Query
file where event.action in ("creation", "overwrite", "rename") and (
file.name in~ ("Microsoft.PowerShell_profile.ps1", "Microsoft.VSCode_profile.ps1", "Microsoft.PowerShellISE_profile.ps1", "profile.ps1")
or (
file.path like~ "*WindowsPowerShell*" and file.name like~ "*.ps1"
)
or (
file.path like~ "*\\PowerShell\\*" and file.name like~ "*.ps1"
)
) and not process.name in~ (
"powershell.exe", "pwsh.exe", "notepad.exe", "code.exe",
"devenv.exe", "vim.exe", "nano.exe", "notepad++.exe", "sublime_text.exe"
)Detects creation or modification of PowerShell profile scripts by unexpected processes. PowerShell profiles are a common persistence mechanism (T1546.013) — adversaries write malicious commands to profile.ps1 or host-specific profile files so they execute whenever a new PowerShell session is opened.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate IT automation tools (Ansible, Chef, Puppet) that configure user environments by writing PowerShell profiles during provisioning
- Software installers (VS Code extensions, Azure PowerShell, AWS Tools for PowerShell) that write profile entries to add module auto-imports
- Developer workstations where build scripts or dotfile managers (chezmoi, yadm) manage shell profiles programmatically
Other platforms for T1546.013
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Malicious Command to PowerShell Profile
Expected signal: File modification event (Sysmon 11) for the PowerShell profile file. Process creation for powershell.exe executing Add-Content. PowerShell ScriptBlock Log Event ID 4104 shows the appended content. On next PowerShell launch, Event ID 4104 will show Invoke-Expression and DownloadString.
- Test 2Create AllUsers PowerShell Profile with Persistence
Expected signal: File creation or modification event (Sysmon 11) for C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1. IsSystemProfile=true in detection. Process creation for powershell.exe with Add-Content. This is a high-severity detection — AllUsers profile modification.
- Test 3Verify Profile Persistence Execution
Expected signal: File modification event for PowerShell profile. Process creation for powershell.exe (child session). File creation event for profile_executed.txt in Temp — confirms execution. The spawned PowerShell process loads the profile and executes the New-Item command.
References (4)
- https://attack.mitre.org/techniques/T1546/013/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles
- https://learn.microsoft.com/en-us/powershell/scripting/learn/shell/creating-profiles
Unlock Pro Content
Get the full detection package for T1546.013 including response playbook, investigation guide, and atomic red team tests.