DET0451 Detection Strategy for PowerShell Profile Persistence via profile.ps1 Modification

Item	Value
ID	DET0451
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1546.013 (PowerShell Profile)

Analytics

Windows

AN1245

Defenders can identify PowerShell profile-based persistence by correlating file creation or modification in known profile locations with subsequent PowerShell process launches that do not use the -NoProfile flag. Profile scripts loading unusual modules or launching external programs, particularly under elevated contexts, are suspicious and may represent adversary persistence or privilege escalation.

Log Sources

Data Component	Name	Channel
File Creation (DC0039)	WinEventLog:Sysmon	EventCode=11
File Modification (DC0061)	WinEventLog:Sysmon	EventCode=2
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Command Execution (DC0064)	WinEventLog:PowerShell	Execution of PowerShell without -NoProfile flag

Mutable Elements

Field	Description
ProfilePathList	Custom PowerShell host profiles or redirection to alternate profile paths
ExecutionContext	Whether profile execution occurs under elevated user (e.g., Administrator, SYSTEM)
ModuleOrScriptName	Specific modules or external programs loaded within profile
TimeWindow	Correlation time between profile modification and PowerShell process start