Techniques
Sample rules
Suspicious Vsls-Agent Command With AgentExtensionPath Load
- source: sigma
- technicques:
- t1218
Description
Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the –agentExtensionPath parameter
Detection logic
condition: selection and not filter
filter:
CommandLine|contains: Microsoft.VisualStudio.LiveShare.Agent.
selection:
CommandLine|contains: --agentExtensionPath
Image|endswith: \vsls-agent.exe