MITRE ATT&CK Technique
Description
Adversaries may gain persistence and elevate privileges in certain situations by abusing [PowerShell](https://attack.mitre.org/techniques/T1086) profiles. A PowerShell profile (<code>profile.ps1</code>) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments. PowerShell supports several profiles depending on the user or host program. For example, there can be different profiles for PowerShell host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer. (Citation: Microsoft About Profiles) Adversaries may modify these profiles to include arbitrary commands, functions, modules, and/or PowerShell drives to gain persistence. Every time a user opens a PowerShell session the modified script will be executed unless the <code>-NoProfile</code> flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019) An adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2019-06-14T18:53:49.472Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may gain persistence and elevate privileges in '
'certain situations by abusing '
'[PowerShell](https://attack.mitre.org/techniques/T1086) '
'profiles. A PowerShell profile (<code>profile.ps1</code>) is '
'a script that runs when PowerShell starts and can be used as '
'a logon script to customize user environments. PowerShell '
'supports several profiles depending on the user or host '
'program. For example, there can be different profiles for '
'PowerShell host programs such as the PowerShell console, '
'PowerShell ISE or Visual Studio Code. An administrator can '
'also configure a profile that applies to all users and host '
'programs on the local computer. (Citation: Microsoft About '
'Profiles) \n'
'\n'
'Adversaries may modify these profiles to include arbitrary '
'commands, functions, modules, and/or PowerShell drives to '
'gain persistence. Every time a user opens a PowerShell '
'session the modified script will be executed unless the '
'<code>-NoProfile</code> flag is used when it is launched. '
'(Citation: ESET Turla PowerShell May 2019) \n'
'\n'
'An adversary may also be able to escalate privileges if a '
'script in a PowerShell profile is loaded and executed by an '
'account with higher privileges, such as a domain '
'administrator. (Citation: Wits End and Shady PowerShell '
'Profiles)',
'external_references': [{'external_id': 'T1504',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1504'},
{'description': 'Microsoft. (2017, November 29). '
'About Profiles. Retrieved June 14, '
'2019.',
'source_name': 'Microsoft About Profiles',
'url': 'https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-6'},
{'description': 'Faou, M. and Dumont R.. (2019, May '
'29). A dive into Turla PowerShell '
'usage. Retrieved June 14, 2019.',
'source_name': 'ESET Turla PowerShell May 2019',
'url': 'https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/'},
{'description': 'DeRyke, A.. (2019, June 7). Lab '
'Notes: Persistence and Privilege '
'Elevation using the Powershell '
'Profile. Retrieved July 8, 2019.',
'source_name': 'Wits End and Shady PowerShell '
'Profiles',
'url': 'https://witsendandshady.blogspot.com/2019/06/lab-notes-persistence-and-privilege.html'},
{'description': 'Malware Archaeology. (2016, June). '
'WINDOWS POWERSHELL LOGGING CHEAT '
'SHEET - Win 7/Win 2008 or later. '
'Retrieved June 24, 2016.',
'source_name': 'Malware Archaeology PowerShell Cheat '
'Sheet',
'url': 'http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf'}],
'id': 'attack-pattern--723e3a2b-ca0d-4daa-ada8-82ea35d3733a',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'}],
'modified': '2025-10-24T17:48:57.057Z',
'name': 'PowerShell Profile',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Allen DeRyke, ICE'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.1'}