The modification of a VSCode PowerShell profile may indicate an adversary establishing persistence to execute malicious code under the guise of legitimate user activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term access and command and control mechanisms.
Detection Rule
title: VsCode Powershell Profile Modification
id: 3a9fa2ec-30bc-4ebd-b49e-7c9cff225502
related:
- id: b5b78988-486d-4a80-b991-930eff3ff8bf
type: similar
status: test
description: Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
references:
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-24
modified: 2023-01-06
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.013
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '\Microsoft.VSCode_profile.ps1'
condition: selection
falsepositives:
- Legitimate use of the profile by developers or administrators
level: medium
imFileEvent
| where TargetFileName endswith "\\Microsoft.VSCode_profile.ps1"Scenario: Developer updates their PowerShell profile for custom aliases
Description: A developer modifies their personal VSCode PowerShell profile to add custom aliases or functions for productivity.
Filter/Exclusion: Check the User field to exclude non-admin users, or filter by EventID 4688 with ProcessName containing code and User matching known developers.
Scenario: System administrator configures a scheduled job using a VSCode profile
Description: An admin creates a scheduled task that uses a VSCode profile to run a legitimate maintenance script.
Filter/Exclusion: Filter by EventID 4688 with ProcessName containing schtasks or schtasks.exe, and check the CommandLine for known admin scripts.
Scenario: IT team deploys a PowerShell module via VSCode profile
Description: IT deploys a module by adding a script to the VSCode profile to load the module on login.
Filter/Exclusion: Check the CommandLine for module loading commands like Import-Module, and verify the User is part of the IT team or admin group.
Scenario: User runs a script from a VSCode profile to automate a routine task
Description: A user has a script in their VSCode profile that runs a legitimate automation task, such as backing up files.
Filter/Exclusion: Filter by EventID 4688 with ProcessName containing code and check the CommandLine for known legitimate scripts or paths.
Scenario: Security tool or SIEM configuration uses a VSCode profile for logging
Description: A security tool or SIEM configuration script is placed in a VSCode profile to execute on login for logging or monitoring.
Filter/Exclusion: Check the