VsCode Powershell Profile Modification
Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
Sigma rule (View on GitHub)
1title: VsCode Powershell Profile Modification
2id: 3a9fa2ec-30bc-4ebd-b49e-7c9cff225502
3related:
4 - id: b5b78988-486d-4a80-b991-930eff3ff8bf
5 type: similar
6status: test
7description: Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
8references:
9 - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022/08/24
12modified: 2023/01/06
13tags:
14 - attack.persistence
15 - attack.privilege_escalation
16 - attack.t1546.013
17logsource:
18 product: windows
19 category: file_event
20detection:
21 selection:
22 TargetFilename|endswith: '\Microsoft.VSCode_profile.ps1'
23 condition: selection
24falsepositives:
25 - Legitimate use of the profile by developers or administrators
26level: medium
References
Related rules
- PowerShell Profile Modification
- Potential Persistence Via PowerShell User Profile Using Add-Content
- Cisco BGP Authentication Failures
- Cisco LDP Authentication Failures
- Huawei BGP Authentication Failures