{ "id": "d5758756-a57b-41c3-8539-a47627a39131", "created_at": "2026-04-06T00:17:23.887043Z", "updated_at": "2026-04-10T13:11:38.44446Z", "deleted_at": null, "sha1_hash": "fde205c56a57859c746346d783c27f6bdb4dca42", "title": "Lab Notes: Persistence and Privilege Elevation using the Powershell Profile", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49769, "plain_text": "Lab Notes: Persistence and Privilege Elevation using the\r\nPowershell Profile\r\nArchived: 2026-04-05 17:16:28 UTC\r\nTL;DR;\r\nA recent ESET blog post mentions a persistence technique I wasn't previously aware of that is in use by the Turla\r\nAPT group.  The technique leverages the PowerShell profile to sabotage PowerShell in a way that executes\r\narbitrary code every time Powershell is launched, upon testing I've discovered this technique may also provide a\r\nlow and slow vector to Domain Admin, and other privileged admin or services accounts by leveraging common\r\nflaws admin scripts, asset management systems, and enterprise detection and response tools. This post captures\r\nmy observations working from Matt Nelson's 2014 blog post (Apologies to the researcher if there is prior art I'm\r\nunaware of at the time of this post)\r\nPrivilege Elevation - Local Admin to Sloppy Admin\r\nSetup Requirements:\r\n1. In my testing, you need local admin rights to create the global profile\r\n1. $profile.AllUsersAllHosts \r\n2. AKA C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1\r\n2. This does not bypass Execution Policy (check with Get-ExecutionPolicy).  \r\n1. If it's set to AllSigned or Restricted, not only will the code not execute; the end user might notice a\r\nsuspicious error message reminding them of the execution policy. (By default a Window 10\r\nendpoint is Restricted) \r\n3. A privileged user or preferably an automated task that runs PowerShell on the 0wned box with elevated\r\ndomain privileges is needed.  They also need to forget  to pass –NoProfile flag when launching it (which\r\nseems like just about everything and everybody in a large enterprise)  \r\nNow any code you place in this global profile will be run by any user who launches PowerShell. We just decide\r\nwhat kind of PowerShell script we want our sloppy admin to execute, set our trap, and patiently wait. \r\nAs a POC I used 1 line of code: \r\nAdd-Content c:\\windows\\temp\\test1.txt \"$(Get-Date) Profile POC Launched by $(whoami)\"\r\nWithin the hour a friendly enterprise asset management system ran my arbitrary code using SYSTEM, but with a\r\nphone call to IT and some trivial social engineering, this could have easily been one of the desktop admins.\r\nMitigation:\r\nhttps://witsendandshady.blogspot.com/2019/06/lab-notes-persistence-and-privilege.html\r\nPage 1 of 2\n\n1. Similar to detecting persistence in the startup folder, if you can audit file writes and modifications to\r\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1 you can alert on this in real time.  Most\r\nuserbases will not be making frequent changes to this file, which should leave you with a low noise high\r\nfidelity alert\r\n2. If you need another reason to preach the gospel of a restrictive PowerShell execution policy this may be it.\r\nUnfortunately, if your admins are using it already good luck telling them they can't use PowerShell\r\n3. You can also audit to ensure any privileged accounts executing PowerShell on remote systems always\r\ninvokes the –NoProfile command line argument\r\nPersistence \r\nFor persistence, things are much simpler. Aforementioned mitigations 1 and 2 still apply, but the only requirement\r\nis the lax execution policy.  Every user should have access to edit their own $profile and any code placed here will\r\nbe executed anytime PowerShell is launched under that user context.\r\nOne Line POC:\r\nAdd-Content $profile \"Invoke-Item C:\\Windows\\System32\\calc.exe\"\r\nFor detection, we need to monitor a few additional file locations, but the alert volume should still be manageable:\r\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1\r\n$Home\\[My ]Documents\\WindowsPowerShell\\Profile.ps1\r\n$Home\\[My ]Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1\r\n$PsHome\\Profile.ps1\r\n$PsHome\\Microsoft.PowerShell_profile.ps1\r\n$Home\\[My ]Documents\\PowerShell\\Profile.ps1\r\n$Home\\[My ]Documents\\PowerShell\\Microsoft.PowerShell_profile.ps1\r\nResources:\r\n1. Microsoft Documentation On Powershell Profiles https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-6\r\n2. Abusing Powershell Profiles https://enigma0x3.net/2014/06/16/abusing-powershell-profiles/\r\n3. Turla Powershell Usage https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/\r\nSource: https://witsendandshady.blogspot.com/2019/06/lab-notes-persistence-and-privilege.html\r\nhttps://witsendandshady.blogspot.com/2019/06/lab-notes-persistence-and-privilege.html\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://witsendandshady.blogspot.com/2019/06/lab-notes-persistence-and-privilege.html" ], "report_names": [ "lab-notes-persistence-and-privilege.html" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434643, "ts_updated_at": 1775826698, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fde205c56a57859c746346d783c27f6bdb4dca42.pdf", "text": "https://archive.orkl.eu/fde205c56a57859c746346d783c27f6bdb4dca42.txt", "img": "https://archive.orkl.eu/fde205c56a57859c746346d783c27f6bdb4dca42.jpg" } }