VSDiagnostics used for proxying execution malicious binaries
Detects the subvert execution of malicious payloads using vsdiagnostics.exe. VSDiagnostics.exe is an executable part of the Microsoft Visual Studio. Threat actors can use the start to start a new session in combination with the /launch and /launchargs parameters to execute a malicious payload on disk.
Sigma rule (View on GitHub)
1title: VSDiagnostics used for proxying execution malicious binaries
2id: 81d761c8-ed08-4421-8206-8ff516e453bf
3description: >
4 Detects the subvert execution of malicious payloads using vsdiagnostics.exe. VSDiagnostics.exe is an executable part of the Microsoft Visual Studio.
5 Threat actors can use the start to start a new session in combination with the /launch and /launchargs parameters to execute a malicious payload on disk.
6status: experimental
7date: 2023/07/12
8author: '@kostastsale'
9references:
10 - https://twitter.com/0xboku/status/1679200664013135872?s=61&t=6z39HX6rrsHrDBR6CqH8DQ
11logsource:
12 category: process_creation
13 product: windows
14detection:
15 selection1:
16 ParentImage|endswith:
17 - '\VSDiagnostics.exe'
18 ParentCommandLine|contains|all:
19 - ' start '
20 - ' /launch:'
21 condition: selection1
22falsepositives:
23 - Uknown
24level: medium
25tags:
26 - attack.defense_evasion
27 - attack.T1218
References
Related rules
- CMSTP installation of malicious code
- Deleting Windows Defender scheduled tasks
- Dumpbin LOLBin use for proxying execution via link.exe
- Enabling RDP service via reg.exe command execution
- Enabling restricted admin mode