Suspicious Execution from VS Code Extension

  1[metadata]
  2creation_date = "2026/02/13"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2026/02/13"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects suspicious process execution launched from a VS Code extension context (parent command line contains
 11.vscode/extensions). Malicious extensions can run on startup and drop or execute payloads (e.g. RATs like
 12ScreenConnect, script interpreters, or download utilities). This covers both script/LOLBin children and
 13recently created executables from non-Program Files paths, as seen in campaigns such as the fake Clawdbot
 14extension that installed ScreenConnect RAT.
 15"""
 16from = "now-9m"
 17index = ["logs-endpoint.events.process-*"]
 18language = "eql"
 19license = "Elastic License v2"
 20name = "Suspicious Execution from VS Code Extension"
 21note = """## Triage and analysis
 22
 23### Investigating Suspicious Execution from VS Code Extension
 24
 25Malicious VS Code extensions can use `activationEvents: ["onStartupFinished"]` to run as soon as the editor starts, then spawn scripts or download-and-execute payloads (e.g. weaponized ScreenConnect, batch/PowerShell downloaders). This rule flags process starts whose parent command line indicates execution from the extension host under `.vscode\\extensions\\` (or `/.vscode/extensions/`).
 26
 27### Possible investigation steps
 28
 29- Identify the extension: from the parent process command line, extract the path under `.vscode\\extensions\\` to get the extension id (e.g. `publisher.name-version`).
 30- Check whether that extension is approved; search the VS Code marketplace (or internal registry) for the same name and compare hashes.
 31- Inspect the child process: if it is cmd/powershell/curl/node/rundll32/etc., review command line and network/file activity; if it is a recently created executable (e.g. Code.exe, Lightshot), check path (e.g. %TEMP%\\Lightshot) and code signature.
 32- Correlate with network events (C2 domains, Dropbox/URL downloads) and with [Fake Clawdbot VS Code Extension](https://www.aikido.dev/blog/fake-clawdbot-vscode-extension-malware) IOCs if relevant.
 33
 34### False positive analysis
 35
 36- Legitimate extensions that run scripts or tools (e.g. linters, formatters, task runners) can spawn cmd, node, or PowerShell. Tune by excluding known extension ids or by requiring additional conditions (e.g. outbound to unknown IPs).
 37- Extension development: running/debugging an extension from a workspace will spawn processes from `.vscode\\extensions\\`; consider excluding dev machines or specific parent paths.
 38
 39### Response and remediation
 40
 41- Uninstall the suspicious extension and restart VS Code.
 42- If payload was executed: check for ScreenConnect (or similar) installation paths and services, remove persisted artifacts, block IOCs at firewall/DNS, rotate any API keys or secrets that may have been entered into the extension.
 43"""
 44references = [
 45    "https://www.aikido.dev/blog/fake-clawdbot-vscode-extension-malware",
 46    "https://attack.mitre.org/techniques/T1204/",
 47    "https://attack.mitre.org/techniques/T1195/002/",
 48]
 49risk_score = 47
 50rule_id = "c3d4e5f6-a7b8-6c9d-0e1f-2a3b4c5d6e7f"
 51severity = "medium"
 52tags = [
 53    "Domain: Endpoint",
 54    "OS: Windows",
 55    "Use Case: Threat Detection",
 56    "Tactic: Initial Access",
 57    "Tactic: Execution",
 58    "Data Source: Elastic Defend",
 59    "Resources: Investigation Guide",
 60]
 61timestamp_override = "event.ingested"
 62type = "eql"
 63
 64query = '''
 65process where host.os.type == "windows" and event.action == "start" and
 66  process.parent.name : ("node.exe", "Code.exe") and
 67  process.parent.command_line != null and
 68  process.parent.command_line : ("*vscode*extensions*", "*extensionHost*") and
 69  (
 70    process.name : (
 71      "cmd.exe", "powershell.exe", "pwsh.exe", "rundll32.exe", "msiexec.exe",
 72      "curl.exe", "bitsadmin.exe", "wscript.exe", "cscript.exe", "mshta.exe",
 73      "node.exe"
 74    ) or
 75	
 76	// recently dropped PE
 77    process.Ext.relative_file_creation_time <= 500
 78  ) and 
 79  not (process.name : "cmd.exe" and process.args : ("npm.cmd config get prefix", "code -v", "chcp")) and 
 80  not (process.name : "python.exe" and process.parent.command_line : "*ms-python.vscode-*")
 81'''
 82
 83
 84
 85[[rule.threat]]
 86framework = "MITRE ATT&CK"
 87[[rule.threat.technique]]
 88id = "T1195"
 89name = "Supply Chain Compromise"
 90reference = "https://attack.mitre.org/techniques/T1195/"
 91[[rule.threat.technique.subtechnique]]
 92id = "T1195.002"
 93name = "Compromise Software Supply Chain"
 94reference = "https://attack.mitre.org/techniques/T1195/002/"
 95
 96[rule.threat.tactic]
 97id = "TA0001"
 98name = "Initial Access"
 99reference = "https://attack.mitre.org/tactics/TA0001/"
100
101[[rule.threat]]
102framework = "MITRE ATT&CK"
103[[rule.threat.technique]]
104id = "T1059"
105name = "Command and Scripting Interpreter"
106reference = "https://attack.mitre.org/techniques/T1059/"
107[[rule.threat.technique]]
108id = "T1204"
109name = "User Execution"
110reference = "https://attack.mitre.org/techniques/T1204/"
111[[rule.threat.technique.subtechnique]]
112id = "T1204.002"
113name = "Malicious File"
114reference = "https://attack.mitre.org/techniques/T1204/002/"
115
116[rule.threat.tactic]
117id = "TA0002"
118name = "Execution"
119reference = "https://attack.mitre.org/tactics/TA0002/"