sigma-rules

security-tools/sigma-rules

Fork 0

Commit Graph

Author	SHA1	Message	Date
Mika Ayenson, PhD	8993d1450b	[Rule Tuning] Add Supplemental Mitre Mappings (#5876 ) --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>	2026-04-01 09:12:42 -05:00
Samirbous	ec4a0e58e4	[New] Suspicious Execution from VS Code Extension (#5786 ) * [New] Suspicious Execution from VS Code Extension Detects suspicious process execution launched from a VS Code extension context (parent command line contains .vscode/extensions). Malicious extensions can run on startup and drop or execute payloads (e.g. RATs like ScreenConnect, script interpreters, or download utilities). This covers both script/LOLBin children and recently created executables from non-Program Files paths, as seen in campaigns such as the fake Clawdbot extension that installed ScreenConnect RAT. * Update initial_access_suspicious_execution_from_vscode_extension.toml * Update initial_access_suspicious_execution_from_vscode_extension.toml * ++ * Update initial_access_suspicious_execution_from_vscode_extension.toml * Update initial_access_suspicious_execution_from_vscode_extension.toml * Update initial_access_suspicious_execution_from_vscode_extension.toml * Update initial_access_suspicious_execution_from_vscode_extension.toml * Update initial_access_suspicious_execution_from_vscode_extension.toml	2026-03-09 16:22:41 +00:00

Author

SHA1

Message

Date

Mika Ayenson, PhD

8993d1450b

[Rule Tuning] Add Supplemental Mitre Mappings (#5876 )

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>

2026-04-01 09:12:42 -05:00

Samirbous

ec4a0e58e4

[New] Suspicious Execution from VS Code Extension (#5786 )

* [New] Suspicious Execution from VS Code Extension

Detects suspicious process execution launched from a VS Code extension context (parent command line contains
.vscode/extensions). Malicious extensions can run on startup and drop or execute payloads (e.g. RATs like
ScreenConnect, script interpreters, or download utilities). This covers both script/LOLBin children and
recently created executables from non-Program Files paths, as seen in campaigns such as the fake Clawdbot
extension that installed ScreenConnect RAT.

* Update initial_access_suspicious_execution_from_vscode_extension.toml

* Update initial_access_suspicious_execution_from_vscode_extension.toml

* ++

* Update initial_access_suspicious_execution_from_vscode_extension.toml

* Update initial_access_suspicious_execution_from_vscode_extension.toml

* Update initial_access_suspicious_execution_from_vscode_extension.toml

* Update initial_access_suspicious_execution_from_vscode_extension.toml

* Update initial_access_suspicious_execution_from_vscode_extension.toml

2026-03-09 16:22:41 +00:00

2 Commits