Use of VSIISExeLauncher.exe
The "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries
Sigma rule (View on GitHub)
1title: Use of VSIISExeLauncher.exe
2id: 18749301-f1c5-4efc-a4c3-276ff1f5b6f8
3status: test
4description: The "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries
5references:
6 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/VSIISExeLauncher/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/06/09
9tags:
10 - attack.defense_evasion
11 - attack.t1127
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection_img:
17 - Image|endswith: '\VSIISExeLauncher.exe'
18 - OriginalFileName: 'VSIISExeLauncher.exe'
19 selection_cli:
20 CommandLine|contains:
21 - ' -p '
22 - ' -a '
23 condition: all of selection*
24falsepositives:
25 - Unknown
26level: medium
References
Related rules
- Ilasm Lolbin Use Compile C-Sharp
- JSC Convert Javascript To Executable
- Kavremover Dropped Binary LOLBIN Usage
- Node Process Executions
- Remote Thread Creation Ttdinject.exe Proxy