Techniques
Sample rules
Malicious PE Execution by Microsoft Visual Studio Debugger
- source: sigma
- technicques:
- t1218
Description
There is an option for a MS VS Just-In-Time Debugger “vsjitdebugger.exe” to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package.
Detection logic
condition: selection and not (reduction1 or reduction2)
reduction1:
Image|endswith: \vsimmersiveactivatehelper*.exe
reduction2:
Image|endswith: \devenv.exe
selection:
ParentImage|endswith: \vsjitdebugger.exe