Windows Terminal Profile Settings Modification By Uncommon Process
Detects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process.
Sigma rule (View on GitHub)
1title: Windows Terminal Profile Settings Modification By Uncommon Process
2id: 9b64de98-9db3-4033-bd7a-f51430105f00
3status: test
4description: Detects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1547.015/T1547.015.md#atomic-test-1---persistence-by-modifying-windows-terminal-profile
7 - https://twitter.com/nas_bench/status/1550836225652686848
8author: frack113, Nasreddine Bencherchali (Nextron Systems)
9date: 2023-07-22
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.t1547.015
14logsource:
15 product: windows
16 category: file_event
17detection:
18 selection:
19 Image|endswith:
20 # Note: Add other potential common applications
21 - '\cmd.exe'
22 - '\cscript.exe'
23 - '\mshta.exe'
24 - '\powershell.exe'
25 - '\pwsh.exe'
26 - '\wscript.exe'
27 TargetFilename|endswith: '\AppData\Local\Packages\Microsoft.WindowsTerminal_8wekyb3d8bbwe\LocalState\settings.json'
28 condition: selection
29falsepositives:
30 - Some false positives may occur with admin scripts that set WT settings.
31level: medium
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- APT27 - Emissary Panda Activity