Query Details

Suspicious VS Code Extensions Hunting

Query

let SuspiciousExtension = DeviceFileEvents
| where TimeGenerated > ago(1h)
| where ActionType == "FileCreated"
| where FolderPath has_any ("vscode", "visual studio code", "microsoft vs code")
| where FolderPath has "extensions"
// Extension was NOT created by a normal VSCode process
| where InitiatingProcessFileName !in~ (
    "code.exe", "code-insiders.exe", "node.exe", 
    "winget.exe", "setup.exe", "CodeSetup.exe", "jamf app installers"
  )
// Suspicious parent processes
| where InitiatingProcessFileName has_any (
    "powershell", "cmd", "wscript", "cscript", 
    "mshta", "curl", "wget", "certutil"
  );
let HighRiskExtension = DeviceFileEvents
| where TimeGenerated > ago(1h)
| where ActionType == "FileCreated"
| where FolderPath has_any ("vscode", "visual studio code", "microsoft vs code")
| where FolderPath has "extensions"
// Only suspicious file types
| extend FileExtension = tolower(tostring(parse_path(FileName).Extension))
| where FileExtension in ("js", "ts", "vsix", "json", "ps1", "sh", "exe", "dll", "py")
// Not from the normal VSCode updater process
| where InitiatingProcessFileName !in~ (
    "code.exe", "code-insiders.exe", "node.exe", "winget.exe", "setup.exe"
  );
union SuspiciousExtension, HighRiskExtension
| invoke FileProfile(SHA256)
| where GlobalPrevalence < 10000
| where not(IsCertificateValid == 1 and SignatureState == "SignedValid" and Issuer == "Microsoft Code Signing PCA 2024")

About this query

Explanation

This Kusto Query Language (KQL) script is designed to detect potentially malicious activities involving Visual Studio Code extensions. Here's a simplified breakdown:

  1. Objective: The query aims to identify suspicious or high-risk Visual Studio Code extensions that could indicate a security threat.

  2. Suspicious Extensions:

    • It looks for new files created in the VS Code extensions folder within the last hour.
    • It filters out files created by trusted processes like VS Code itself or system setup tools.
    • It focuses on files created by potentially harmful processes such as PowerShell, CMD, curl, or Wget.
  3. High-Risk Extensions:

    • It also checks for new files in the VS Code extensions folder within the last hour.
    • It specifically targets high-risk file types like JavaScript (.js), executable files (.exe), PowerShell scripts (.ps1), and others.
    • It excludes files created by the usual VS Code updater processes.
  4. Combining Results:

    • The query combines the results from both suspicious and high-risk extensions.
    • It uses a reputation check to filter out common, well-known files, focusing on rare or unique files that are less prevalent globally (less than 10,000 occurrences).
    • It further filters out files that are validly signed by Microsoft, ensuring only potentially malicious files are flagged for further investigation.

In essence, this query helps security teams identify unusual or potentially dangerous VS Code extensions that might be used for defense evasion tactics.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: June 10, 2026

Tables

DeviceFileEvents

Keywords

DeviceFileEventsFolderPathNameExtensionTimeGeneratedInitiatingProcessGlobalPrevalenceSignatureStateIssuerSHA256

Operators

let|where>ago()==has_any()!in~hasextendtolower()tostring()parse_path()inunioninvoke<and!=

MITRE Techniques

Actions

GitHub