Defenders can identify PowerShell profile-based persistence by correlating file creation or modification in known profile locations with subsequent PowerShell process launches that do not use the -NoProfile flag. Profile scripts loading unusual modules or launching external programs, particularly under elevated contexts, are suspicious and may represent adversary persistence or privilege escalation.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| File Modification (DC0061) | WinEventLog:Sysmon | EventCode=2 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Command Execution (DC0064) | WinEventLog:PowerShell | Execution of PowerShell without -NoProfile flag |
| Field | Description |
|---|---|
| ProfilePathList | Custom PowerShell host profiles or redirection to alternate profile paths |
| ExecutionContext | Whether profile execution occurs under elevated user (e.g., Administrator, SYSTEM) |
| ModuleOrScriptName | Specific modules or external programs loaded within profile |
| TimeWindow | Correlation time between profile modification and PowerShell process start |