Windows PowerShell Persistence

Link

Windows PowerShell Persistence

Windows users have in their Documents directory (usually) a folder named “WindowsPowerShell”. PowerShell allows users to customize their PowerShell environment through the use of profile files.

image

This file can be abused by using it as a wrapper for other commands to execute as the user context opening the PowerShell terminal. (ie - low privilege user, low privilege outcome; UAC admin user, admin outcome). Note that execution of the included command will stop PowerShell from loading, and may prevent legitimate business functions from occurring.

Execution

For the below example we are using an AES shellcode injection technique as I am also bypassing Defender, however most commands can be used (again, depending on user context). My executable is named applesauce.exe, which loads an encoded shellcode, decodes and executes it. 

echo "'C:\users\jwhel\Desktop\Projects\Injections\applesauce.exe test.bin_enc'; del C:\Users\jwhel\Documents\WindowsPowerShell\profile.ps1" > profile.ps1

Now that the command is echoed into the profile.ps1 file, we can wait for a valid user to start PowerShell, which executes the payload command. Again, this technique can essentially disable PowerShell for the user, so use with caution (in the above example I delete the profile.ps1 file after I terminate the shell access. Note that you shouldn’t use the profile.ps1 file if the user actually uses this feature).

Echoing command into profile.ps1
Echoing command into profile.ps1
PowerShell hanging while waiting for command execution
PowerShell hanging while waiting for command execution
Reverse shell access
Reverse shell access

References

https://attack.mitre.org/techniques/T1546/013/

TwitterLinkedInMediumDiscord

Copyright © Joe Helle 2023