Detects the manual installation of a VScode extension by a non-standard parent process. An adversary may use this technique to persist via a malicious extension.
Target indexes
logs-*
Target Operating Systems
macOS
Tested ECS Version
1.11.0
Query
process where event.type == "start" and event.action == "exec" and
process.parent.name : ("bash", "sh", "zsh", "tclsh*", "python*", "osascript") and
process.args in ("/usr/local/bin/code", "code", "/Applications/Visual Studio Code.app/Contents/MacOS/Electron", "Electron") and
process.args : "--install-extension*" and
not process.args : "kiteco.kite" and
not process.executable in ("/usr/bin/man", "/usr/bin/env", "/usr/bin/xargs") and
not process.parent.executable in ("/usr/local/bin/code", "/usr/bin/code", "/Applications/Visual Studio Code.app/Contents/MacOS/Electron", "/usr/bin/xargs")
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Description
Detects the manual installation of a VScode extension by a non-standard parent process. An adversary may use this technique to persist via a malicious extension.
Target indexes
logs-*
Target Operating Systems
macOS
Tested ECS Version
1.11.0
Query
References
https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/ https://github.com/elastic/endpoint-rules/blob/c3d745dded34ff824a5a16b1c29ad4a4f9d260e7/rules/persistence_vscode_extension_installation.toml#L10