This Artifact will search and parse Powershell profile scripts.
PowerShell supports several profiles depending on the user or host program. Adversaries may create or modify these profiles to include arbitrary commands, functions, modules, and/or PowerShell drives to gain persistence. When a backdoored PowerShell session is opened the modified script will be executed unless the -NoProfile flag is used when it is launched.
The artifact will by default search both User profiles and System-wide configured profiles. The user can also targert and exclude specific content with relevant regex filters
name: Windows.Persistence.PowershellProfile
author: Matt Green - @mgreen27
description: |
This Artifact will search and parse Powershell profile scripts.
PowerShell supports several profiles depending on the user or host program.
Adversaries may create or modify these profiles to include arbitrary commands,
functions, modules, and/or PowerShell drives to gain persistence. When a
backdoored PowerShell session is opened the modified script will be executed
unless the -NoProfile flag is used when it is launched.
The artifact will by default search both User profiles and System-wide
configured profiles. The user can also targert and exclude specific content
with relevant regex filters
reference:
- https://attack.mitre.org/techniques/T1546/013/
type: CLIENT
parameters:
- name: UserProfileGlob
default: '\Documents\{WindowsPowerShell,Powershell}\{Profile,Microsoft.*_profile}.ps1'
description: Glob for Powershell user profiles.
- name: PSHomeProfileGlob
default: 'C:\Windows\System32\{WindowsPowerShell,Powershell}\v1.0\{Profile,Microsoft.*_profile}.ps1'
description: Glob for Powershell PSHome profiles.
- name: SearchStrings
default: .
type: regex
description: regex to filter for in profile content
- name: StringWhiteList
default:
type: regex
description: regex to filter out in profile content
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
-- First extract potential glob path for each user
LET UserTargets = SELECT Name as Username,
expand(path=Directory) + UserProfileGlob as ProfileGlob
FROM Artifact.Windows.Sys.Users()
WHERE Directory
-- Search for both Powershell System and User profiles.
SELECT OSPath, Size,
read_file(filename=OSPath) as Content,
dict( Mtime=Mtime,
Atime=Atime,
Ctime=Ctime,
Btime=Btime ) as Timestamps,
hash(path=OSPath) as Hash
FROM glob(globs=UserTargets.ProfileGlob + PSHomeProfileGlob)
WHERE
Content =~ SearchStrings
AND NOT if(condition=StringWhiteList,
then= Content=~StringWhiteList,
else= False)