title: PowerShell Profile (T1546.013)
id: df00tech-t1546-013
status: experimental
description: "Adversaries may establish persistence by placing malicious commands into a PowerShell profile. A PowerShell profile script is a script that runs when PowerShell starts and can be used as a logon script to customize user environments. PowerShell supports several profile locations including: $PROFILE (current user, current host), $PROFILE.AllUsersCurrentHost (all users, current host), $PROFILE.CurrentUserAllHosts (current user, all hosts), and $PROFILE.AllUsersAllHosts (all users, all hosts — the most powerful). Malicious profile content executes whenever an interactive PowerShell session is started, providing persistent code execution in the user's context."
references:
  - https://attack.mitre.org/techniques/T1546/013/
  - https://df00tech.com/detections/T1546.013
author: df00tech
date: 2026/04/20
tags:
  - attack.t1546.013
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - PowerShell module installation (Install-Module) that adds initialization code to profiles
  - "Developer tool setup scripts (Visual Studio Code, PowerShell extension, Posh-git, oh-my-posh) that add profile entries during installation"
  - IT administrators legitimately configuring PowerShell environment via profile files as part of system baseline
  - Security tools that add their own functions or aliases to PowerShell profiles during installation
level: high