VSDiagnostics used for proxying execution malicious binaries

Detects the subvert execution of malicious payloads using vsdiagnostics.exe. VSDiagnostics.exe is an executable part of the Microsoft Visual Studio. Threat actors can use the start to start a new session in combination with the /launch and /launchargs parameters to execute a malicious payload on disk.

Sigma rule (View on GitHub)

 1title: VSDiagnostics used for proxying execution malicious binaries
 2id: 81d761c8-ed08-4421-8206-8ff516e453bf
 3description: >
 4    Detects the subvert execution of malicious payloads using vsdiagnostics.exe. VSDiagnostics.exe is an executable part of the Microsoft Visual Studio.
 5    Threat actors can use the start to start a new session in combination with the /launch and /launchargs parameters to execute a malicious payload on disk.    
 6status: experimental
 7date: 2023/07/12
 8author: '@kostastsale'
 9references:
10  - https://twitter.com/0xboku/status/1679200664013135872?s=61&t=6z39HX6rrsHrDBR6CqH8DQ
11logsource:
12    category: process_creation
13    product: windows
14detection:
15    selection1:
16      ParentImage|endswith:
17        - '\VSDiagnostics.exe'
18      ParentCommandLine|contains|all:
19        - ' start '
20        - ' /launch:'
21    condition: selection1
22falsepositives:
23    - Uknown
24level: medium
25tags:
26    - attack.defense_evasion
27    - attack.T1218

References

Related rules

to-top