VSCode Tasks.json File Creation

Rule Info

Name
VSCode Tasks.json File Creation
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the creation of `.vscode/tasks.json` files which can be abused to auto-run malicious scripts when a VSCode workspace is opened and trusted by the user. This technique was observed in the "Contagious Interview" campaign where threat actors exploited VS Code's workspace trust model to execute malicious tasks upon opening a new project. Attackers may create or modify `tasks.json` to define tasks that run malicious commands or scripts automatically when the workspace is opened and trusted by the user. Legitimate use cases include developers configuring build or deployment tasks, but unexpected creation of such files in unfamiliar projects may indicate malicious activity.
Reference
https://www.jamf.com/blog/threat-actors-expand-abuse-of-visual-studio-code/
Date
2026-04-02 00:00:00
Modified
None
Id
8c5a5e2d-3b1f-4a8e-9f7c-6d2e1a0b5c4d
Tags
attack.execution attack.persistence attack.t1059
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022