Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Windows Terminal Profile Settings Modification By Uncommon Process

Detects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François Hubaut, Nasreddine Bencherchali (Nextron Systems)Created Sat Jul 229b64de98-9db3-4033-bd7a-f51430105f00windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        Image|endswith:
            # Note: Add other potential common applications
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\wscript.exe'
        TargetFilename|endswith: '\AppData\Local\Packages\Microsoft.WindowsTerminal_8wekyb3d8bbwe\LocalState\settings.json'
    condition: selection
False Positives

Some false positives may occur with admin scripts that set WT settings.

References
1
Resolving title…
github.com
2
Resolving title…
twitter.com
MITRE ATT&CK
Rule Metadata
Rule ID
9b64de98-9db3-4033-bd7a-f51430105f00
Status
test
Level
medium
Type
Detection
Created
Sat Jul 22
Author
François Hubaut, Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.t1547.015
View on GitHub