Detectionmediumtest
Potentially Suspicious Child Process Of VsCode
Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Thu Jan 26Updated Wed Oct 255a3164f2-b373-4152-93cf-090b13c12d27windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic4 selectors
detection:
selection_parent:
ParentImage|endswith: '\code.exe'
selection_children_images:
Image|endswith:
- '\calc.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\cscript.exe'
- '\wscript.exe'
selection_children_cli:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\cmd.exe'
CommandLine|contains:
- 'Invoke-Expressions'
- 'IEX'
- 'Invoke-Command'
- 'ICM'
- 'DownloadString'
- 'rundll32'
- 'regsvr32'
- 'wscript'
- 'cscript'
selection_children_paths:
Image|contains:
# Add more suspicious locations
- ':\Users\Public\'
- ':\Windows\Temp\'
- ':\Temp\'
condition: selection_parent and 1 of selection_children_*False Positives
In development environment where VsCode is used heavily. False positives may occur when developers use task to compile or execute different types of code. Remove or add processes accordingly
MITRE ATT&CK
Rule Metadata
Rule ID
5a3164f2-b373-4152-93cf-090b13c12d27
Status
test
Level
medium
Type
Detection
Created
Thu Jan 26
Modified
Wed Oct 25
Path
rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml
Raw Tags
attack.executionattack.defense-evasionattack.t1218attack.t1202