detection.wiki

Detection rules › Sigma

Windows Terminal Profile Settings Modification By Uncommon Process

Severity
medium
Author
frack113, Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process.

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1547.015 Boot or Logon Autostart Execution: Login Items
Privilege EscalationT1547.015 Boot or Logon Autostart Execution: Login Items

Event coverage

ProviderEvent IDTitle
Sysmon11FileCreate

Stages and Predicates

Stage 1: selection

or:
Image|endswith: '\cmd.exe'
Image|endswith: '\cscript.exe'
Image|endswith: '\mshta.exe'
Image|endswith: '\powershell.exe'
Image|endswith: '\pwsh.exe'
Image|endswith: '\wscript.exe'
TargetFilename|endswith: '\AppData\Local\Packages\Microsoft.WindowsTerminal_8wekyb3d8bbwe\LocalState\settings.json'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Imageends_with
  • \cmd.exe corpus 92 (sigma 92)
  • \cscript.exe corpus 64 (sigma 64)
  • \mshta.exe corpus 57 (sigma 57)
  • \powershell.exe corpus 143 (sigma 143)
  • \pwsh.exe corpus 140 (sigma 140)
  • \wscript.exe corpus 64 (sigma 64)
TargetFilenameends_with
  • \AppData\Local\Packages\Microsoft.WindowsTerminal_8wekyb3d8bbwe\LocalState\settings.json