Techniques
Sample rules
Potential Binary Proxy Execution Via VSDiagnostics.EXE
- source: sigma
- technicques:
- t1218
Description
Detects execution of “VSDiagnostics.exe” with the “start” command in order to launch and proxy arbitrary binaries.
Detection logic
condition: all of selection_*
selection_cli_launch:
CommandLine|contains:
- ' /launch:'
- ' -launch:'
selection_cli_start:
CommandLine|contains: start
selection_img:
- Image|endswith: \VSDiagnostics.exe
- OriginalFileName: VSDiagnostics.exe