Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0451: Detection Strategy for PowerShell Profile Persistence via profile.ps1 Modification

DET0451 is a MITRE ATT&CK detection strategy for spotting persistence through modification of PowerShell profile.ps1 files. The business significance is th...

EnterpriseDET0451Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0451 is a MITRE ATT&CK detection strategy for spotting persistence through modification of PowerShell profile.ps1 files. The business significance is that PowerShell profiles can cause code to run automatically when PowerShell starts, making them a persistence and potential privilege-escalation foothold on Windows systems. For leaders, this is less about a single file name and more about whether the organization can prove it monitors script-based startup locations that may survive reboots, user sessions, and routine troubleshooting.

Executive priority

Prioritize this as a resilience and incident-readiness control for Windows environments where PowerShell is used administratively. Security leaders should ask whether endpoint logging, file integrity monitoring, and SOC workflows can identify suspicious changes to PowerShell profile locations, preserve evidence for investigation, and distinguish legitimate administrator customization from persistence activity. This also supports audit and compliance evidence by demonstrating coverage of script-based persistence mechanisms rather than relying only on malware alerts.

Technical view

The supplied ATT&CK relationship states that this detection strategy detects T1546.013, PowerShell Profile, associated with persistence and privilege escalation on Windows. SOC and detection engineering teams should validate monitoring around creation or modification of PowerShell profile.ps1 files and execution of PowerShell sessions that load profile content. Because the detection strategy object itself does not provide official detection logic, teams should build and test environment-specific analytics using local file-change telemetry, process execution telemetry, and account context, then tune for known administrative profile customization.

Likely telemetry

  • File creation, modification, and timestamp changes for PowerShell profile.ps1 paths
  • PowerShell process start events and command-line context
  • PowerShell script block, module, or operational logging where enabled
  • Endpoint detection and response file/process telemetry
  • User, host, and privilege context associated with profile changes

Detection direction

  • Validate that telemetry covers PowerShell profile file locations relevant to users and host programs in the environment, since ATT&CK notes multiple PowerShell profiles may exist.
  • Alert on unexpected creation or modification of profile.ps1 files, especially when performed by unusual users, processes, or outside approved administration windows.
  • Correlate profile changes with subsequent PowerShell launches to determine whether modified profile content may have executed.
  • Tune false positives for legitimate administrator customization, developer workstation configuration, and managed endpoint build processes.
  • Use the relationship to T1546.013 to map detections to persistence and privilege-escalation investigation playbooks.

Mitigation priorities

  • Inventory where PowerShell profiles are permitted and who is authorized to modify them.
  • Restrict write access to profile locations to appropriate users and administrators.
  • Enable and retain endpoint/file-change and PowerShell execution telemetry needed for investigation.
  • Use change control or configuration management to baseline legitimate profile content where feasible.
  • Include PowerShell profile review in incident response triage for suspected persistence on Windows systems.
Analyst notes and limits

The ATT&CK object is a detection strategy named for PowerShell Profile persistence via profile.ps1 modification and is linked to technique T1546.013. The related technique provides the key context: PowerShell profiles can run when PowerShell starts and are associated with persistence and privilege escalation on Windows. Practical detection value depends on local logging configuration, endpoint visibility, and knowledge of legitimate administrative use.

The supplied detection strategy has no official description, no official detection text, no specified platforms or tactics on the strategy object itself, and no aliases or labels. Windows, persistence, and privilege-escalation context come from the related T1546.013 technique, not from DET0451 fields directly. This take does not assert active exploitation, attribution, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Detection Strategy for PowerShell Profile Persistence via profile.ps1 Modification

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1546.013 PowerShell Profile Sub-technique This object detects PowerShell Profile.
Relationship explorer

All related ATT&CK context

detects · Technique T1546.013: PowerShell Profile Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
a8233dc944ef516c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle a8233dc944ef…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0451
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use