Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1245: Analytic 1245

Defenders can identify PowerShell profile-based persistence by correlating file creation or modification in known profile locations with subsequent PowerShell process launches that do not use the `-NoProfile` flag. Profile scripts loading unusual modules or launching external programs, particularly under elevated contexts, are suspicious and may represent adversary persistence or privilege escalation.

EnterpriseAN1245AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because PowerShell profiles can quietly turn routine administrator or user PowerShell launches into a persistence trigger. For leaders, the practical question is whether the organization can prove that changes to Windows PowerShell profile locations are monitored and correlated with later PowerShell execution that loads profiles. Without that linkage, a persistence mechanism may look like normal scripting activity.

Executive priority

Prioritize this where Windows administration, privileged operations, or incident response workflows rely heavily on PowerShell. The decision value is auditability and resilience: can security teams show evidence of profile file changes, subsequent PowerShell launches, and whether those launches used the -NoProfile flag? This supports SOC readiness, privileged access oversight, and incident scoping when suspicious PowerShell behavior appears.

Technical view

For Windows environments, validate correlation between file creation or modification in known PowerShell profile locations and later PowerShell process launches that do not include the -NoProfile flag. Give higher review priority to profile scripts that load unusual modules, launch external programs, or run under elevated contexts. Because ATT&CK provides no separate detection implementation here, teams should test whether endpoint telemetry can connect the file event, process command line, execution context, and script behavior into one investigation path.

Likely telemetry

  • Windows file creation and modification events for known PowerShell profile paths
  • PowerShell process creation events with command-line arguments
  • Evidence of whether PowerShell was launched with or without the -NoProfile flag
  • PowerShell script/module loading telemetry where available
  • Parent-child process relationships showing external programs launched from PowerShell

Detection direction

  • Tune detections around correlation, not isolated events: a profile file change alone may be administrative, while a later PowerShell launch that loads the profile adds investigative value.
  • Review PowerShell launches without -NoProfile after recent profile changes, especially when the session is elevated or tied to privileged users.
  • Flag profile content that loads unusual modules or starts external programs, while accounting for legitimate administrative automation.
  • Validate command-line capture quality; missing or truncated PowerShell arguments can create a major blind spot.
  • Confirm coverage of all relevant Windows hosts, especially administrator workstations and servers where PowerShell is frequently used.

Mitigation priorities

  • Establish an approved baseline for PowerShell profile usage in administrative environments.
  • Restrict write access to profile locations to appropriate users and administrative roles.
  • Monitor and review changes to profile scripts, especially on privileged systems.
  • Encourage administrative practices that reduce unnecessary profile loading where operationally feasible, such as explicit use of -NoProfile for controlled automation.
  • Include PowerShell profile review in incident response scoping when suspicious PowerShell execution is identified.
Analyst notes and limits

This object is a detection analytic, not a technique description. It is limited to Windows and focuses on PowerShell profile-based persistence detection through file/process correlation. No ATT&CK relationships were supplied, so this take does not infer specific tactics, techniques, procedures, threat actors, or campaigns.

The official object does not provide a separate detection field, tactics, relationships, or mitigation text. Local validation is required to identify exact profile paths, approved profile behavior, available endpoint telemetry, and acceptable administrative use cases.

Official MITRE ATT&CK definition

Analytic 1245

Defenders can identify PowerShell profile-based persistence by correlating file creation or modification in known profile locations with subsequent PowerShell process launches that do not use the `-NoProfile` flag. Profile scripts loading unusual modules or launching external programs, particularly under elevated contexts, are suspicious and may represent adversary persistence or privilege escalation.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
3749cc96395bd803...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 3749cc96395b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1245
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use