diff --git a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml
index 1132e001c..ccb577396 100644
--- a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml
+++ b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml
@@ -68,6 +68,8 @@ detection:
             - 'C:\WINDOWS\system32\NhNotifSys.exe'
         - TargetImage:
             - 'C:\Windows\System32\RuntimeBroker.exe'
+        - TargetImage|endswith:
+            - '\Microsoft VS Code\Code.exe'
         - CallTrace|contains:  # attempt to save the rule with a broader filter
             - '|C:\WINDOWS\System32\RPCRT4.dll+'
     filter_set_1: