Lab Notes: Persistence and Privilege Elevation using the Powershell Profile
TL;DR; A recent ESET blog post mentions a persistence technique I wasn't previously aware of that is in use by the Turla APT group. The technique leverages the PowerShell profile to sabotage PowerShell in a way that executes arbitrary code every time Powershell is launched, upon testing I've discovered this technique may also provide a low and slow vector to Domain Admin, and other privileged admin or services accounts by leveraging common flaws admin scripts, asset management systems, and enterprise detection and response tools. This post captures my observations working from Matt Nelson's 2014 blog post (Apologies to the researcher if there is prior art I'm unaware of at the time of this post) Privilege Elevation - Local Admin to Sloppy Admin Setup Requirements: In my testing, you need local admin rights to create the global profile $profile.AllUsersAllHosts AKA C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 This does not bypass Executi...