VsCode Powershell Profile Modification
Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
Sigma rule (View on GitHub)
1title: VsCode Powershell Profile Modification
2id: 3a9fa2ec-30bc-4ebd-b49e-7c9cff225502
3related:
4 - id: b5b78988-486d-4a80-b991-930eff3ff8bf
5 type: similar
6status: test
7description: Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
8references:
9 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022-08-24
12modified: 2023-01-06
13tags:
14 - attack.persistence
15 - attack.privilege-escalation
16 - attack.t1546.013
17logsource:
18 product: windows
19 category: file_event
20detection:
21 selection:
22 TargetFilename|endswith: '\Microsoft.VSCode_profile.ps1'
23 condition: selection
24falsepositives:
25 - Legitimate use of the profile by developers or administrators
26level: medium
References
Related rules
- Potential Persistence Via PowerShell User Profile Using Add-Content
- PowerShell Profile Modification
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Tampering - Suspicious Failed Logon Reasons