VsCode Powershell Profile Modification

Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence

Sigma rule (View on GitHub)

 1title: VsCode Powershell Profile Modification
 2id: 3a9fa2ec-30bc-4ebd-b49e-7c9cff225502
 3related:
 4    - id: b5b78988-486d-4a80-b991-930eff3ff8bf
 5      type: similar
 6status: test
 7description: Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
 8references:
 9    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022/08/24
12modified: 2023/01/06
13tags:
14    - attack.persistence
15    - attack.privilege_escalation
16    - attack.t1546.013
17logsource:
18    product: windows
19    category: file_event
20detection:
21    selection:
22        TargetFilename|endswith: '\Microsoft.VSCode_profile.ps1'
23    condition: selection
24falsepositives:
25    - Legitimate use of the profile by developers or administrators
26level: medium

References

Related rules

to-top