Techniques
Sample rules
Windows Terminal Profile Settings Modification By Uncommon Process
- source: sigma
- technicques:
- t1547
- t1547.015
Description
Detects the creation or modification of the Windows Terminal Profile settings file “settings.json” by an uncommon process.
Detection logic
condition: selection
selection:
Image|endswith:
- \cmd.exe
- \cscript.exe
- \mshta.exe
- \powershell.exe
- \pwsh.exe
- \wscript.exe
TargetFilename|endswith: \AppData\Local\Packages\Microsoft.WindowsTerminal_8wekyb3d8bbwe\LocalState\settings.json