Elastic Security Detection Rules

Suspicious Execution from VS Code Extension

Last updated a month ago on 2026-02-13
Created a month ago on 2026-02-13

About

Detects suspicious process execution launched from a VS Code extension context (parent command line contains .vscode/extensions). Malicious extensions can run on startup and drop or execute payloads (e.g. RATs like ScreenConnect, script interpreters, or download utilities). This covers both script/LOLBin children and recently created executables from non-Program Files paths, as seen in campaigns such as the fake Clawdbot extension that installed ScreenConnect RAT.
Tags
Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: Initial AccessTactic: ExecutionData Source: Elastic DefendLanguage: eql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

Supply Chain Compromise (T1195)(external, opens in a new tab or window)

Execution (TA0002)(external, opens in a new tab or window)

Command and Scripting Interpreter (T1059)(external, opens in a new tab or window)

User Execution (T1204)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-endpoint.events.process-*
Related Integrations

endpoint(external, opens in a new tab or window)

Query
text code block:
process where host.os.type == "windows" and event.action == "start" and
  process.parent.name : ("node.exe", "Code.exe") and
  process.parent.command_line != null and
  process.parent.command_line : ("*vscode*extensions*", "*extensionHost*") and
  (
    process.name : (
      "cmd.exe", "powershell.exe", "pwsh.exe", "rundll32.exe", "msiexec.exe",
      "curl.exe", "bitsadmin.exe", "wscript.exe", "cscript.exe", "mshta.exe",
      "node.exe"
    ) or
	
	// recently dropped PE
    process.Ext.relative_file_creation_time <= 500
  ) and 
  not (process.name : "cmd.exe" and process.args : ("npm.cmd config get prefix", "code -v", "chcp")) and 
  not (process.name : "python.exe" and process.parent.command_line : "*ms-python.vscode-*")

Install detection rules in Elastic Security

Detect Suspicious Execution from VS Code Extension in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).