search

elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html
Other
1.9k stars 484 forks source link

[New Rule] Suspicious Manual VScode Extension Installation #2575

Open DefSecSentinel opened 1 year ago

DefSecSentinel commented 1 year ago

Description

Detects the manual installation of a VScode extension by a non-standard parent process. An adversary may use this technique to persist via a malicious extension.

Target indexes

logs-*

Target Operating Systems

macOS

Tested ECS Version

1.11.0

Query

process where event.type == "start" and event.action == "exec" and
process.parent.name : ("bash", "sh", "zsh", "tclsh*", "python*", "osascript") and
process.args in ("/usr/local/bin/code", "code", "/Applications/Visual Studio Code.app/Contents/MacOS/Electron", "Electron") and 
process.args : "--install-extension*" and 
not process.args : "kiteco.kite" and
not process.executable in ("/usr/bin/man", "/usr/bin/env", "/usr/bin/xargs") and 
not process.parent.executable in ("/usr/local/bin/code", "/usr/bin/code", "/Applications/Visual Studio Code.app/Contents/MacOS/Electron", "/usr/bin/xargs")

References

https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/ https://github.com/elastic/endpoint-rules/blob/c3d745dded34ff824a5a16b1c29ad4a4f9d260e7/rules/persistence_vscode_extension_installation.toml#L10

botelastic[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.