Windows Terminal Profile Settings Modification By Uncommon Process
Detects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process.
Sigma rule (View on GitHub)
1title: Windows Terminal Profile Settings Modification By Uncommon Process
2id: 9b64de98-9db3-4033-bd7a-f51430105f00
3status: experimental
4description: Detects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1547.015/T1547.015.md#atomic-test-1---persistence-by-modifying-windows-terminal-profile
7 - https://twitter.com/nas_bench/status/1550836225652686848
8author: frack113, Nasreddine Bencherchali (Nextron Systems)
9date: 2023/07/22
10tags:
11 - attack.persistence
12 - attack.t1547.015
13logsource:
14 product: windows
15 category: file_event
16detection:
17 selection:
18 Image|endswith:
19 # Note: Add other potential common applications
20 - '\cmd.exe'
21 - '\cscript.exe'
22 - '\mshta.exe'
23 - '\powershell.exe'
24 - '\pwsh.exe'
25 - '\wscript.exe'
26 TargetFilename|endswith: '\AppData\Local\Packages\Microsoft.WindowsTerminal_8wekyb3d8bbwe\LocalState\settings.json'
27 condition: selection
28falsepositives:
29 - Some false positives may occur with admin scripts that set WT settings.
30level: medium
References
Related rules
- Potential CCleanerReactivator.DLL Sideloading
- Scheduled Task Executing Encoded Payload from Registry
- Scheduled Task Executing Payload from Registry
- Enabled User Right in AD to Control User Objects
- COLDSTEEL Persistence Service Creation