Overview

This script attempts to gain execution on a remote system by generating a specially crafted PowerShell profile, inserting it in the system profile location on the remote target, enabling PowerShell script execution, and then waiting for the script to trigger under an NT AUTHORITY\SYSTEM or Administrator account.

The location the script will be placed is:

• C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1

Arguments

Dependencies

• lateral

Operating Systems

• Windows

Pre-Requisites

• Valid administrator credentials (either explicit or impersonated) for the target system or domain.
• RemoteRegistry service must be enabled to set the ExecutionPolicy. If the ExecutionPolicy cannot be set, then the PowerShell profile may not execute.

Employment Considerations

• This script will attempt to set the ExecutionPolicy on the remote system to Bypass. If that is not successful, the profile will still be created. This will cause all PowerShell sessions to through an exception at the very beginning which may alert defenders. If may be worth checking the registry key below or ensuring that PowerShell ExecutionPolicy is configured via Group Policy to allow script execution.

Key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
Value: "ExecutionPolicy"

Example Output

{
  "Lateral": {
    "Username": "[email protected]",
    "Payload": "ps_lateral_movement_profile",
    "Method": "PowerShell Profile",
    "Build": "remote",
    "Success": true,
    "ExecutionPolicy": "Bypass",
    "Path": "\\\\192.168.1.103\\C$\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1",
    "System": "192.168.1.103"
  }
}