Malicious PE Execution by Microsoft Visual Studio Debugger

Severity: medium
Author: Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community
Source: upstream

There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package.

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1218` System Binary Proxy Execution

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation
Security-Auditing	4688	A new process has been created.

Stages and Predicates

Stage 1: `selection`

ParentImage|endswith: '\vsjitdebugger.exe'

Stage 2: `not reduction1`

Image|endswith: '\vsimmersiveactivatehelper*.exe'

Stage 3: `not reduction2`

Image|endswith: '\devenv.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Image`	ends_with	`\devenv.exe` `\vsimmersiveactivatehelper*.exe`
`ParentImage`	ends_with	`\vsjitdebugger.exe`