Suspicious VS Code Extensions Hunting
Query
let SuspiciousExtension = DeviceFileEvents
| where TimeGenerated > ago(1h)
| where ActionType == "FileCreated"
| where FolderPath has_any ("vscode", "visual studio code", "microsoft vs code")
| where FolderPath has "extensions"
// Extension was NOT created by a normal VSCode process
| where InitiatingProcessFileName !in~ (
"code.exe", "code-insiders.exe", "node.exe",
"winget.exe", "setup.exe", "CodeSetup.exe", "jamf app installers"
)
// Suspicious parent processes
| where InitiatingProcessFileName has_any (
"powershell", "cmd", "wscript", "cscript",
"mshta", "curl", "wget", "certutil"
);
let HighRiskExtension = DeviceFileEvents
| where TimeGenerated > ago(1h)
| where ActionType == "FileCreated"
| where FolderPath has_any ("vscode", "visual studio code", "microsoft vs code")
| where FolderPath has "extensions"
// Only suspicious file types
| extend FileExtension = tolower(tostring(parse_path(FileName).Extension))
| where FileExtension in ("js", "ts", "vsix", "json", "ps1", "sh", "exe", "dll", "py")
// Not from the normal VSCode updater process
| where InitiatingProcessFileName !in~ (
"code.exe", "code-insiders.exe", "node.exe", "winget.exe", "setup.exe"
);
union SuspiciousExtension, HighRiskExtension
| invoke FileProfile(SHA256)
| where GlobalPrevalence < 10000
| where not(IsCertificateValid == 1 and SignatureState == "SignedValid" and Issuer == "Microsoft Code Signing PCA 2024")About this query
Explanation
This Kusto Query Language (KQL) script is designed to detect potentially malicious activities involving Visual Studio Code extensions. Here's a simplified breakdown:
-
Objective: The query aims to identify suspicious or high-risk Visual Studio Code extensions that could indicate a security threat.
-
Suspicious Extensions:
- It looks for new files created in the VS Code extensions folder within the last hour.
- It filters out files created by trusted processes like VS Code itself or system setup tools.
- It focuses on files created by potentially harmful processes such as PowerShell, CMD, curl, or Wget.
-
High-Risk Extensions:
- It also checks for new files in the VS Code extensions folder within the last hour.
- It specifically targets high-risk file types like JavaScript (.js), executable files (.exe), PowerShell scripts (.ps1), and others.
- It excludes files created by the usual VS Code updater processes.
-
Combining Results:
- The query combines the results from both suspicious and high-risk extensions.
- It uses a reputation check to filter out common, well-known files, focusing on rare or unique files that are less prevalent globally (less than 10,000 occurrences).
- It further filters out files that are validly signed by Microsoft, ensuring only potentially malicious files are flagged for further investigation.
In essence, this query helps security teams identify unusual or potentially dangerous VS Code extensions that might be used for defense evasion tactics.
Details

Benjamin Zulliger
Released: June 10, 2026
Tables
DeviceFileEvents
Keywords
DeviceFileEventsFolderPathNameExtensionTimeGeneratedInitiatingProcessGlobalPrevalenceSignatureStateIssuerSHA256
Operators
let|where>ago()==has_any()!in~hasextendtolower()tostring()parse_path()inunioninvoke<and!=
MITRE Techniques