Detectionmediumtest

VsCode Powershell Profile Modification

Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Wed Aug 24Updated Fri Jan 063a9fa2ec-30bc-4ebd-b49e-7c9cff225502windows

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetFilename|endswith: '\Microsoft.VSCode_profile.ps1'
    condition: selection

False Positives

Legitimate use of the profile by developers or administrators

References

Resolving title…

learn.microsoft.com

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0004 · Privilege Escalation

Sub-techniques

T1546.013 · PowerShell Profile

Related Rules

SimilarDetectionmedium

PowerShell Profile Modification

Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

3a9fa2ec-30bc-4ebd-b49e-7c9cff225502

Status

test

Level

medium

Type

Detection

Created

Wed Aug 24

Modified

Fri Jan 06

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml

Raw Tags

attack.persistenceattack.privilege-escalationattack.t1546.013

View on GitHub