Adversaries may install malicious VS Code extensions to persist on a user’s system and exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or data exfiltration tactics.
KQL Query
DeviceProcessEvents
| where ProcessCommandLine contains "VSIxs" or ProcessCommandLine contains "vsce-sign.exe"
| extend ExtensionName = case(
ProcessCommandLine contains "vsce-sign.exe", extract('CachedExtensionVSIXs\\\\([^\\s"]+)', 1, ProcessCommandLine),
ProcessCommandLine contains "VSIxs", extract('CachedExtensionVSIXs/([^"]+)', 1, ProcessCommandLine),
"")
| extend ExtensionName = iif(isempty(ExtensionName), "", ExtensionName)
| summarize ExtensionName = make_set(ExtensionName) ,count() by DeviceName, AccountName
id: 75830932-794e-4a18-b62f-cc2a010080b5
name: List all the VScode Extensions which are installed on a user system
description: |
'Detects observed Visual Studio Code (VS Code) extension installation activity on a user's system within the query time range.
Note: This query does not return a complete per-user inventory of installed extensions and may miss extensions installed outside the telemetry window or via unsupported installation methods.
Ref: https://blog.checkpoint.com/securing-the-cloud/malicious-vscode-extensions-with-more-than-45k-downloads-steal-pii-and-enable-backdoors/'
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Persistence
relevantTechniques:
- T1547.006
query: |
DeviceProcessEvents
| where ProcessCommandLine contains "VSIxs" or ProcessCommandLine contains "vsce-sign.exe"
| extend ExtensionName = case(
ProcessCommandLine contains "vsce-sign.exe", extract('CachedExtensionVSIXs\\\\([^\\s"]+)', 1, ProcessCommandLine),
ProcessCommandLine contains "VSIxs", extract('CachedExtensionVSIXs/([^"]+)', 1, ProcessCommandLine),
"")
| extend ExtensionName = iif(isempty(ExtensionName), "", ExtensionName)
| summarize ExtensionName = make_set(ExtensionName) ,count() by DeviceName, AccountName
entityMappings:
- entityType: File
fieldMappings:
- identifier: Name
columnName: ExtensionName
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: DeviceName
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
version: 1.0.2
metadata:
source:
kind: Community
author:
name: Anish Bhowmick
support:
tier: Community
categories:
domains: [ "Security - Threat Protection" ]| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: A system administrator installs a VS Code extension as part of a standard tooling setup for developers.
Filter/Exclusion: Exclude events where the user is a system admin or where the installation is part of a known deployment process (e.g., user_account = "admin" OR process_name = "setup_tool.exe").
Scenario: A scheduled job or automation script installs a VS Code extension to standardize development environments across multiple machines.
Filter/Exclusion: Exclude events where the process is initiated by a scheduled task or automation tool (e.g., process_name = "schtasks.exe" OR process_name = "ansible.exe").
Scenario: A user installs a VS Code extension for productivity purposes, such as a code formatter or linter, as part of their daily workflow.
Filter/Exclusion: Exclude events where the extension is commonly used for development tasks (e.g., extension_name LIKE "%Prettier%" OR extension_name LIKE "%ESLint%").
Scenario: A security tool or endpoint protection software installs a VS Code extension as part of its own integration or monitoring capabilities.
Filter/Exclusion: Exclude events where the installation is initiated by a known security tool (e.g., process_name = "Microsoft Defender" OR process_name = "CrowdStrike") or where the extension is part of a known integration.
Scenario: A user installs a VS Code extension for system monitoring or diagnostics, such as a performance tool or log viewer.
Filter/Exclusion: Exclude events where the extension is related to system monitoring (e.g., extension_name LIKE "%Monitor%" OR extension_name LIKE "%Log%") or where the user has elevated privileges.