Potentially Suspicious Child Process Of VsCode

Rule Info

Name
Potentially Suspicious Child Process Of VsCode
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.
Reference
https://twitter.com/nas_bench/status/1618021838407495681
Date
2023-01-26 00:00:00
Modified
2023-10-25 00:00:00
Id
5a3164f2-b373-4152-93cf-090b13c12d27
Tags
attack.execution attack.defense_evasion attack.t1218 attack.t1202 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=5a3164f2-b373-4152-93cf-090b13c12d27

Rule History

Author
Title
Date
Commit
citronninja
Merge PR #4463 from @citronninja - Add New Rules Related to VsCode Tunnel Usage & Abuse
2023-10-28
3f8eb891e
Wagga
fix: typos in multiple rules (#4011)
2023-02-06
273fdb998
Nasreddine Bencherchali
chore: add nextron authors tag
2023-02-01
7c38a5c49
Nasreddine Bencherchali
feat: updates and fixes
2023-01-26
c538550b0
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022