From 947fa79dd3d00a4ce577b16b643c15e6f744a419 Mon Sep 17 00:00:00 2001
From: "uncleP@sk" <paskin.mailbox@gmail.com>
Date: Wed, 14 Oct 2020 13:29:25 +0300
Subject: [PATCH] vsjitdebugger detection added

---
 .../win_susp_use_of_vsjitdebugger_bin.yml     | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml

diff --git a/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml b/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml
new file mode 100644
index 000000000..89382b90c
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml
@@ -0,0 +1,23 @@
+title: Malicious PE Execution by Microsoft Visual Studio Debugger
+id: 15c7904e-6ad1-4a45-9b46-5fb25df37fd2
+status: experimental
+description: There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package. 
+references:
+  - https://twitter.com/pabraeken/status/990758590020452353
+  - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Vsjitdebugger.yml
+  - https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019
+tags:
+    - attack.t1218
+author: Agro (@agro_sev) oscd.community
+date: 2020/10/14
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:        
+        ParentImage|endswith: '\vsjitdebugger.exe'
+    condition: selection
+falsepositives:
+    - the process spawned by vsjitdebugger.exe is uncommon. 
+level: medium 
+