Malicious PE Execution by Microsoft Visual Studio Debugger

There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package.

Sigma rule (View on GitHub)

 1title: Malicious PE Execution by Microsoft Visual Studio Debugger
 2id: 15c7904e-6ad1-4a45-9b46-5fb25df37fd2
 3status: test
 4description: |
 5  There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger.
 6  This option may be used adversaries to execute malicious code by signed verified binary.
 7  The debugger is installed alongside with Microsoft Visual Studio package.  
 8references:
 9    - https://twitter.com/pabraeken/status/990758590020452353
10    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/
11    - https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019
12author: Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community
13date: 2020/10/14
14modified: 2022/10/09
15tags:
16    - attack.t1218
17    - attack.defense_evasion
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        ParentImage|endswith: '\vsjitdebugger.exe'
24    reduction1:
25        Image|endswith: '\vsimmersiveactivatehelper*.exe'
26    reduction2:
27        Image|endswith: '\devenv.exe'
28    condition: selection and not (reduction1 or reduction2)
29falsepositives:
30    - The process spawned by vsjitdebugger.exe is uncommon.
31level: medium

References

Related rules

to-top