Skip to content

[New] Suspicious Execution from VS Code Extension#5786

Merged
Samirbous merged 13 commits intomainfrom
vscode_rogue
Mar 9, 2026
Merged

[New] Suspicious Execution from VS Code Extension#5786
Samirbous merged 13 commits intomainfrom
vscode_rogue

Conversation

@Samirbous
Copy link
Copy Markdown
Contributor

@Samirbous Samirbous commented Feb 26, 2026

Detects suspicious process execution launched from a VS Code extension context (parent command line contains .vscode/extensions). Malicious extensions can run on startup and drop or execute payloads (e.g. RATs like ScreenConnect, script interpreters, or download utilities). This covers both script/LOLBin children and recently created executables from non-Program Files paths, as seen in campaigns such as the fake Clawdbot extension that installed ScreenConnect RAT.

@Samirbous
[New] Suspicious Execution from VS Code Extension
4d3f0af 
Detects suspicious process execution launched from a VS Code extension context (parent command line contains
.vscode/extensions). Malicious extensions can run on startup and drop or execute payloads (e.g. RATs like
ScreenConnect, script interpreters, or download utilities). This covers both script/LOLBin children and
recently created executables from non-Program Files paths, as seen in campaigns such as the fake Clawdbot
extension that installed ScreenConnect RAT.
@Samirbous Samirbous self-assigned this Feb 26, 2026
@Samirbous Samirbous added Rule: New Proposal for new rule OS: Windows windows related rules labels Feb 26, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Feb 26, 2026

Rule: New - Guidelines

These guidelines serve as a reminder set of considerations when proposing a new rule.

Documentation and Context

  • Detailed description of the rule.
  • List any new fields required in ECS/data sources.
  • Link related issues or PRs.
  • Include references.

Rule Metadata Checks

  • creation_date matches the date of creation PR initially merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive, considering performance for diverse environments. Non ecs fields should be added to non-ecs-schema.json if not available in an integration.
  • min_stack_comments and min_stack_version should be included if the rule is only compatible starting from a specific stack version.
  • index pattern should be neither too specific nor too vague, ensuring it accurately matches the relevant data stream (e.g., use logs-endpoint.process-* for process data).
  • integration should align with the index. If the integration is newly introduced, ensure the manifest, schemas, and new_rule.yaml template are updated.
  • setup should include the necessary steps to configure the integration.
  • note should include any additional information (e.g. Triage and analysis investigation guides, timeline templates).
  • tags should be relevant to the threat and align/added to the EXPECTED_RULE_TAGS in the definitions.py file.
  • threat, techniques, and subtechniques should map to ATT&CK always if possible.

New BBR Rules

  • building_block_type should be included if the rule is a building block and the rule should be located in the rules_building_block folder.
  • bypass_bbr_timing should be included if adding custom lookback timing to the rule.

Testing and Validation

  • Provide evidence of testing and detecting the expected threat.
  • Check for existence of coverage to prevent duplication.

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Feb 26, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Suspicious Execution from Potentially Malicious VS Code Extension (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Feb 26, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Suspicious Execution from VS Code Extension (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Feb 26, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Suspicious Execution from VS Code Extension (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Feb 26, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Suspicious Execution from VS Code Extension (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Feb 26, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Suspicious Execution from VS Code Extension (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Feb 26, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Suspicious Execution from VS Code Extension (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Feb 26, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Suspicious Execution from VS Code Extension (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Feb 26, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Suspicious Execution from VS Code Extension (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Feb 26, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Suspicious Execution from VS Code Extension (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 9, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Suspicious Execution from VS Code Extension (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 9, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Suspicious Execution from VS Code Extension (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 9, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Suspicious Execution from VS Code Extension (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@Samirbous Samirbous merged commit ec4a0e5 into main Mar 9, 2026
15 of 19 checks passed
@Samirbous Samirbous deleted the vscode_rogue branch March 9, 2026 16:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eric-forte-elastic eric-forte-elastic eric-forte-elastic left review comments

@Mikaayenson Mikaayenson Mikaayenson approved these changes

@imays11 imays11 imays11 approved these changes

@Aegrah Aegrah Aegrah approved these changes

@w0rk3r w0rk3r Awaiting requested review from w0rk3r

@DefSecSentinel DefSecSentinel Awaiting requested review from DefSecSentinel

Assignees

@Samirbous Samirbous

Labels

backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@Samirbous @tradebot-elastic @Mikaayenson @imays11 @Aegrah @eric-forte-elastic