Techniques
Sample rules
Suspicious WindowsTerminal Child Processes
- source: sigma
- technicques:
Description
Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)
Detection logic
condition: all of selection_* and not 1 of filter_*
filter_builtin_visual_studio_shell:
CommandLine|contains|all:
- Import-Module
- Microsoft.VisualStudio.DevShell.dll
- Enter-VsDevShell
filter_open_settings:
CommandLine|contains|all:
- \AppData\Local\Packages\Microsoft.WindowsTerminal_
- \LocalState\settings.json
filter_vsdevcmd:
CommandLine|contains|all:
- C:\Program Files\Microsoft Visual Studio\
- \Common7\Tools\VsDevCmd.bat
selection_parent:
ParentImage|endswith:
- \WindowsTerminal.exe
- \wt.exe
selection_susp:
- Image|endswith:
- \rundll32.exe
- \regsvr32.exe
- \certutil.exe
- \cscript.exe
- \wscript.exe
- \csc.exe
- Image|contains:
- C:\Users\Public\
- \Downloads\
- \Desktop\
- \AppData\Local\Temp\
- \Windows\TEMP\
- CommandLine|contains:
- ' iex '
- ' icm'
- Invoke-
- 'Import-Module '
- 'ipmo '
- DownloadString(
- ' /c '
- ' /k '
- ' /r '