{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/vs-code/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["VS Code"],"_cs_severities":["medium"],"_cs_tags":["initial-access","execution","supply-chain-compromise","vscode"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eA malicious VS Code extension, configured to run upon editor startup, can execute arbitrary commands, potentially leading to the installation of remote access trojans (RATs) or other malicious payloads. The attack vector leverages the extension host under \u003ccode\u003e.vscode/extensions/\u003c/code\u003e to spawn processes such as script interpreters or download utilities. This activity has been observed in campaigns like the fake Clawdbot extension that installed ScreenConnect RAT. The execution can involve Living-off-the-Land binaries (LOLBins) or recently created executables from non-standard paths, posing a significant risk to Windows systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user installs a malicious VS Code extension.\u003c/li\u003e\n\u003cli\u003eThe extension is configured with \u003ccode\u003eactivationEvents: [\u0026quot;onStartupFinished\u0026quot;]\u003c/code\u003e to run automatically when VS Code starts.\u003c/li\u003e\n\u003cli\u003eThe VS Code extension host (\u003ccode\u003eCode.exe\u003c/code\u003e or \u003ccode\u003enode.exe\u003c/code\u003e) spawns a script interpreter (e.g., \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e) from within the \u003ccode\u003e.vscode/extensions/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe script interpreter executes a command to download a malicious payload from a remote server using tools like \u003ccode\u003ecurl.exe\u003c/code\u003e, \u003ccode\u003ebitsadmin.exe\u003c/code\u003e, or \u003ccode\u003emshta.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is saved to disk, often in a temporary directory outside of Program Files.\u003c/li\u003e\n\u003cli\u003eThe script interpreter executes the downloaded payload, leading to further malicious activity. For example, ScreenConnect might be installed.\u003c/li\u003e\n\u003cli\u003ePersistence mechanisms are established (e.g., via registry keys or scheduled tasks).\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access to the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the complete compromise of a developer\u0026rsquo;s workstation, potentially affecting intellectual property and sensitive data. The installation of RATs like ScreenConnect can enable persistent remote access, allowing attackers to perform data exfiltration, lateral movement, and further malicious activities. The compromised machine can then be used as a pivot point to attack other systems within the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Suspicious Execution from VS Code Extension\u0026rdquo; Sigma rule to your SIEM to detect malicious process execution from VS Code extensions.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for script interpreters and LOLBins spawned from the \u003ccode\u003e.vscode/extensions/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted executables.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit installed VS Code extensions for suspicious activity or unnecessary permissions.\u003c/li\u003e\n\u003cli\u003eEducate developers about the risks of installing extensions from untrusted sources.\u003c/li\u003e\n\u003cli\u003eBlock the C2 domains associated with ScreenConnect and other RATs at the firewall/DNS resolver.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-vscode-extension-execution/","summary":"Malicious VS Code extensions can execute arbitrary commands, leading to initial access and subsequent payload deployment on Windows systems.","title":"Suspicious Execution from VS Code Extension","url":"https://feed.craftedsignal.io/briefs/2024-01-vscode-extension-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — VS Code","version":"https://jsonfeed.org/version/1.1"}