Adversaries may modify Windows Terminal profile settings using an uncommon process to persistently execute arbitrary commands or escalate privileges. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or command and control activities.
Detection Rule
title: Windows Terminal Profile Settings Modification By Uncommon Process
id: 9b64de98-9db3-4033-bd7a-f51430105f00
status: test
description: Detects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1547.015/T1547.015.md#atomic-test-1---persistence-by-modifying-windows-terminal-profile
- https://twitter.com/nas_bench/status/1550836225652686848
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-22
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.015
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
# Note: Add other potential common applications
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
TargetFilename|endswith: '\AppData\Local\Packages\Microsoft.WindowsTerminal_8wekyb3d8bbwe\LocalState\settings.json'
condition: selection
falsepositives:
- Some false positives may occur with admin scripts that set WT settings.
level: medium
imFileEvent
| where (TargetFilePath endswith "\\cmd.exe" or TargetFilePath endswith "\\cscript.exe" or TargetFilePath endswith "\\mshta.exe" or TargetFilePath endswith "\\powershell.exe" or TargetFilePath endswith "\\pwsh.exe" or TargetFilePath endswith "\\wscript.exe") and TargetFileName endswith "\\AppData\\Local\\Packages\\Microsoft.WindowsTerminal_8wekyb3d8bbwe\\LocalState\\settings.json"Scenario: System Update or Patching Tool Modifies Profile Settings
Description: A legitimate system update tool (e.g., Windows Update, Microsoft Endpoint Configuration Manager) may modify the Windows Terminal profile settings during a configuration or policy deployment.
Filter/Exclusion: Check the process name (ProcessName) against known system update tools like wusa.exe, msiexec.exe, or setup.exe.
Scenario: Scheduled Task for Configuration Management
Description: A scheduled task (e.g., via SCCM, Ansible, or Puppet) may modify the profile settings as part of a routine configuration management process.
Filter/Exclusion: Exclude processes associated with configuration management tools (e.g., schtasks.exe, ansible.exe, puppet.exe) or use a ProcessName filter to exclude known task runners.
Scenario: User-Initiated Profile Customization via PowerShell
Description: A user may manually edit the Windows Terminal profile settings using PowerShell or a script, which could trigger the rule.
Filter/Exclusion: Filter by User field to exclude administrative users or include a CommandLine check for known user-editing commands like Set-Content or Out-File.
Scenario: Third-Party Application Integration with Terminal
Description: A third-party application (e.g., Visual Studio Code, Azure CLI, or Docker) may modify the terminal profile settings during installation or configuration.
Filter/Exclusion: Exclude processes associated with these applications (e.g., code.exe, docker.exe, az.exe) or use a ProcessName filter to block known integrations.
Scenario: Malware or Ransomware Mimicking Legitimate Process
Description: Malware may impersonate a legitimate process (e.g., taskmgr.exe, `explorer.exe