Suspicious Vsls-Agent Command With AgentExtensionPath Load
Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter
Sigma rule (View on GitHub)
1title: Suspicious Vsls-Agent Command With AgentExtensionPath Load
2id: 43103702-5886-11ed-9b6a-0242ac120002
3status: test
4description: Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter
5references:
6 - https://twitter.com/bohops/status/1583916360404729857
7author: bohops
8date: 2022-10-30
9tags:
10 - attack.defense-evasion
11 - attack.t1218
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 Image|endswith: '\vsls-agent.exe'
18 CommandLine|contains: '--agentExtensionPath'
19 filter:
20 CommandLine|contains: 'Microsoft.VisualStudio.LiveShare.Agent.'
21 condition: selection and not filter
22fields:
23 - CommandLine
24 - ParentCommandLine
25falsepositives:
26 - False positives depend on custom use of vsls-agent.exe
27level: medium
References
Related rules
- Abusing Print Executable
- AddinUtil.EXE Execution From Uncommon Directory
- AgentExecutor PowerShell Execution
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Arbitrary File Download Via MSOHTMED.EXE