Suspicious Vsls-Agent Command With AgentExtensionPath Load

Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter

Sigma rule (View on GitHub)

 1title: Suspicious Vsls-Agent Command With AgentExtensionPath Load
 2id: 43103702-5886-11ed-9b6a-0242ac120002
 3status: test
 4description: Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter
 5references:
 6    - https://twitter.com/bohops/status/1583916360404729857
 7author: bohops
 8date: 2022-10-30
 9tags:
10    - attack.defense-evasion
11    - attack.t1218
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection:
17        Image|endswith: '\vsls-agent.exe'
18        CommandLine|contains: '--agentExtensionPath'
19    filter:
20        CommandLine|contains: 'Microsoft.VisualStudio.LiveShare.Agent.'
21    condition: selection and not filter
22fields:
23    - CommandLine
24    - ParentCommandLine
25falsepositives:
26    - False positives depend on custom use of vsls-agent.exe
27level: medium

References

Related rules

to-top