KQL Search

This query is designed to detect potentially malicious configurations in Visual Studio Code (VS Code) that could automatically execute tasks when a folder is opened. Here's a simple breakdown of what the query does:

1. Purpose: The query aims to identify suspicious or malicious tasks in VS Code that are set to run automatically when a folder is opened. This is a potential security risk as it can be exploited for unauthorized code execution.

2. Detection Logic:

   • The query looks for file events specifically related to the .vscode directory.
   • It focuses on the tasks.json file, which is where VS Code tasks are configured.

3. MITRE ATT&CK Techniques:

   • T1053: This relates to scheduled tasks or jobs, indicating that the query is looking for tasks that might be set to run automatically.
   • T1204: This involves user execution, suggesting that the tasks might require some form of user interaction or are triggered by user actions.

4. Tags: The query is associated with persistence (indicating a method to maintain access to a system), VSCode (the environment being monitored), and supply chain (potentially indicating a broader risk if such tasks are distributed through shared code).

5. Search Query:

   • The query filters for file events where the folder path includes .vscode and the file name is tasks.json, indicating a focus on task configurations within VS Code projects.

6. References: The query is informed by known methods of abusing VS Code tasks and specific attacks like the PolinRider attack, which may exploit such configurations.

In summary, this query helps in identifying potentially harmful configurations in VS Code that could be used to execute tasks automatically, posing a security risk.