Active 2024-10-15

Mandatory Profile Persistence

Windows Mandatory Profile persistence testing toolkit - validating detection coverage for this stealthy persistence technique.

persistence windows profiles red-team detection-testing
View on GitHub
Quickstart
Get started instantly
git clone https://github.com/MHaggis/notes.git && cd notes/utilities/MandatoryProfilePersistence

The Problem

Windows Mandatory Profiles can be abused for persistence by modifying profile settings to execute malicious code on user login. This technique is stealthy and rarely tested by defenders, leaving a blind spot in detection coverage.

The Solution

Mandatory Profile Persistence provides tools and techniques for testing this persistence mechanism, helping defenders validate their detection capabilities and understand the artifacts this technique creates.

Impact

Enables security teams to test and detect a lesser-known persistence technique that adversaries may use to maintain access while evading common detection methods.

What are Mandatory Profiles?

Windows Mandatory Profiles are read-only user profiles that reset to a default state on logout. While designed for shared workstations, they can be abused for persistence.

Attack Technique

Adversaries can abuse mandatory profiles by:

Registry Modifications

Modifying profile paths to point to attacker-controlled locations:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\{SID}

Profile Hijacking

Replacing legitimate profile files with malicious versions that execute on login.

Logon Scripts

Embedding malicious scripts in mandatory profile configurations.

Persistence Mechanisms

User Profile Service

  • Modify profile paths
  • Replace profile files
  • Inject into profile loading

Logon Events

Execute malicious code during:

  • User logon
  • Profile load
  • Desktop initialization

Detection Opportunities

Registry Monitoring

index=sysmon EventCode=13 
  TargetObject="*\\ProfileList\\*"
| table _time, Computer, TargetObject, Details

Profile Path Changes

Monitor for unexpected profile path modifications.

File System Activity

Watch for modifications to profile directories.

Logon Script Execution

Detect unusual scripts running at logon.

Testing Framework

The toolkit provides:

Test Scripts

PowerShell scripts to simulate the persistence technique.

Validation Tools

Verify the persistence mechanism works as expected.

Cleanup Utilities

Remove test artifacts after validation.

Detection Validation

Generate telemetry to test your detection rules.

Use Cases

Red Team Operations

Establish stealthy persistence during engagements.

Detection Engineering

Validate detection coverage for profile-based persistence.

Security Research

Understand Windows profile security mechanisms.

Training

Demonstrate lesser-known persistence techniques.

Artifacts Created

  • Registry modifications in ProfileList
  • Modified profile files
  • Logon script execution
  • User profile service interactions

Mitigations

  • Monitor ProfileList registry key
  • Restrict profile path modifications
  • Audit logon scripts
  • Implement least privilege
  • Use read-only profile directories

Responsible Use

This tool is for authorized security testing only. Always obtain proper authorization before testing persistence mechanisms.

Test mandatory profile persistence

Get Started Report Issue

Related Modules

Active

ASRGEN

ASR Configurator, Essentials and Atomic Testing. Configure and test Attack Surface Reduction rules.

asr defender windows hardening +2
View Module → GitHub
Active

LOLDrivers

Living Off The Land Drivers - A curated list of Windows drivers used by adversaries to bypass security controls. The definitive resource for vulnerable driver detection.

drivers byovd detection windows +2
View Module → GitHub