From 6e619f86ed4d769a63433af9f82482810b9d26de Mon Sep 17 00:00:00 2001
From: Bobby Cooke <bobby@Bobbys-MacBook-Pro.local>
Date: Thu, 20 Mar 2025 15:07:26 -0700
Subject: [PATCH 1/4] VS Code Electron application hollowing with JavaScript C2
 code and arbitrary Node.JS JavaScript code execution

---
 yml/OtherMSBinaries/Code.yml | 37 ++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 yml/OtherMSBinaries/Code.yml

diff --git a/yml/OtherMSBinaries/Code.yml b/yml/OtherMSBinaries/Code.yml
new file mode 100644
index 00000000..a512986d
--- /dev/null
+++ b/yml/OtherMSBinaries/Code.yml
@@ -0,0 +1,37 @@
+---
+Name: Code.exe
+Description: Visual Studio Code (VS Code) is a lightweight, open-source code editor with built-in debugging, Git integration, and extensive extension support.
+Author: Bobby Cooke
+Created: 2025-03-20
+Commands:
+  - Command: Code.exe
+    Description: Generate Node.JS JavaScript payload and package.json, and save to "%LOCALAPPDATA%\\Programs\\Microsoft VS Code\\\\resources\\app\\" before executing.
+    Usecase: Execute Node.JS JavaScript code
+    Category: Execute
+    Privileges: User
+    MitreID: T1218.015
+    OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: Node.JS
+Full_Path:
+  - Path: 'C:\Users\<username>\AppData\Local\Programs\Microsoft VS Code\Code.exe'
+Detection:
+  - IOC: "%LOCALAPPDATA%\\Programs\\Microsoft VS Code\\resources\\app directory created"
+  - IOC: "%LOCALAPPDATA%\\Programs\\Microsoft VS Code\\Code.exe file created/modified by non-Code installer/updater"
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml
+Resources:
+  - Link: https://securityintelligence.com/x-force/bypassing-windows-defender-application-control-loki-c2/
+Acknowledgement:
+  - Person: Bobby Cooke
+    Handle: '@0xBoku'
+  - Person: Dylan Tran
+    Handle: '@d_tranman'
+  - Person: Ellis Springe    
+    Handle: '@knavesec'
+  - Person: Valentina Palmiotti
+    Handle: '@chompie1337'
+  - Person: Ruben Boonen
+    Handle: '@FuzzySec'
+  - Person: Andrew Kisliakov
+  - Person: mr.d0x
+    Handle: '@mrd0x'

From 6403128742534090dad342a459d4d8b74b25aaea Mon Sep 17 00:00:00 2001
From: Bobby Cooke <19784872+boku7@users.noreply.github.com>
Date: Thu, 20 Mar 2025 15:17:14 -0700
Subject: [PATCH 2/4] Update Code.yml

fixed trailing spaces
---
 yml/OtherMSBinaries/Code.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/yml/OtherMSBinaries/Code.yml b/yml/OtherMSBinaries/Code.yml
index a512986d..edef7586 100644
--- a/yml/OtherMSBinaries/Code.yml
+++ b/yml/OtherMSBinaries/Code.yml
@@ -26,7 +26,7 @@ Acknowledgement:
     Handle: '@0xBoku'
   - Person: Dylan Tran
     Handle: '@d_tranman'
-  - Person: Ellis Springe    
+  - Person: Ellis Springe
     Handle: '@knavesec'
   - Person: Valentina Palmiotti
     Handle: '@chompie1337'

From 2b7ad93069afbd43fcc0052dd6281cedbe132d02 Mon Sep 17 00:00:00 2001
From: Wietze <wietze@users.noreply.github.com>
Date: Wed, 16 Apr 2025 09:33:55 +0100
Subject: [PATCH 3/4] Moving contents to existing Code.exe entry

---
 yml/HonorableMentions/Code.yml | 16 +++++++++++++++
 yml/OtherMSBinaries/Code.yml   | 37 ----------------------------------
 2 files changed, 16 insertions(+), 37 deletions(-)
 delete mode 100644 yml/OtherMSBinaries/Code.yml

diff --git a/yml/HonorableMentions/Code.yml b/yml/HonorableMentions/Code.yml
index 6ea99828..18227137 100644
--- a/yml/HonorableMentions/Code.yml
+++ b/yml/HonorableMentions/Code.yml
@@ -11,6 +11,15 @@ Commands:
     Privileges: User
     MitreID: T1219
     OperatingSystem: Windows 10, Windows 11
+  - Command: Code.exe
+    Description: Generate Node.JS JavaScript payload and package.json, and save to "%LOCALAPPDATA%\\Programs\\Microsoft VS Code\\\\resources\\app\\" before executing.
+    Usecase: Execute Node.JS JavaScript code
+    Category: Execute
+    Privileges: User
+    MitreID: T1218.015
+    OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: Node.JS
 Full_Path:
   - Path: 'C:\Users\<username>\AppData\Local\Programs\Microsoft VS Code\Code.exe'
   - Path: C:\Program Files\Microsoft VS Code\Code.exe
@@ -19,7 +28,14 @@ Detection:
   - IOC: Websocket traffic to global.rel.tunnels.api.visualstudio.com
   - IOC: 'Process tree: code.exe -> cmd.exe -> node.exe -> winpty-agent.exe'
   - IOC: 'File write of code_tunnel.json which is parametizable, but defaults to: %UserProfile%\.vscode-cli\code_tunnel.json'
+  - IOC: "%LOCALAPPDATA%\\Programs\\Microsoft VS Code\\resources\\app directory created"
+  - IOC: "%LOCALAPPDATA%\\Programs\\Microsoft VS Code\\Code.exe file created/modified by non-Code installer/updater"
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml
 Resources:
   - Link: https://badoption.eu/blog/2023/01/31/code_c2.html
   - Link: https://code.visualstudio.com/docs/remote/tunnels
   - Link: https://code.visualstudio.com/blogs/2022/12/07/remote-even-better
+  - Link: https://securityintelligence.com/x-force/bypassing-windows-defender-application-control-loki-c2/
+Acknowledgement:
+  - Person: Bobby Cooke
+    Handle: '@0xBoku'
diff --git a/yml/OtherMSBinaries/Code.yml b/yml/OtherMSBinaries/Code.yml
deleted file mode 100644
index edef7586..00000000
--- a/yml/OtherMSBinaries/Code.yml
+++ /dev/null
@@ -1,37 +0,0 @@
----
-Name: Code.exe
-Description: Visual Studio Code (VS Code) is a lightweight, open-source code editor with built-in debugging, Git integration, and extensive extension support.
-Author: Bobby Cooke
-Created: 2025-03-20
-Commands:
-  - Command: Code.exe
-    Description: Generate Node.JS JavaScript payload and package.json, and save to "%LOCALAPPDATA%\\Programs\\Microsoft VS Code\\\\resources\\app\\" before executing.
-    Usecase: Execute Node.JS JavaScript code
-    Category: Execute
-    Privileges: User
-    MitreID: T1218.015
-    OperatingSystem: Windows 10, Windows 11
-    Tags:
-      - Execute: Node.JS
-Full_Path:
-  - Path: 'C:\Users\<username>\AppData\Local\Programs\Microsoft VS Code\Code.exe'
-Detection:
-  - IOC: "%LOCALAPPDATA%\\Programs\\Microsoft VS Code\\resources\\app directory created"
-  - IOC: "%LOCALAPPDATA%\\Programs\\Microsoft VS Code\\Code.exe file created/modified by non-Code installer/updater"
-  - Sigma: https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml
-Resources:
-  - Link: https://securityintelligence.com/x-force/bypassing-windows-defender-application-control-loki-c2/
-Acknowledgement:
-  - Person: Bobby Cooke
-    Handle: '@0xBoku'
-  - Person: Dylan Tran
-    Handle: '@d_tranman'
-  - Person: Ellis Springe
-    Handle: '@knavesec'
-  - Person: Valentina Palmiotti
-    Handle: '@chompie1337'
-  - Person: Ruben Boonen
-    Handle: '@FuzzySec'
-  - Person: Andrew Kisliakov
-  - Person: mr.d0x
-    Handle: '@mrd0x'

From d0f7b86a54a5ddffb7d5f8f4caa90d92dad3ace4 Mon Sep 17 00:00:00 2001
From: Wietze <wietze@users.noreply.github.com>
Date: Wed, 16 Apr 2025 09:56:22 +0100
Subject: [PATCH 4/4] Revert "Moving contents to existing Code.exe entry"

This reverts commit 2b7ad93069afbd43fcc0052dd6281cedbe132d02.
---
 yml/HonorableMentions/Code.yml | 16 ---------------
 yml/OtherMSBinaries/Code.yml   | 37 ++++++++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+), 16 deletions(-)
 create mode 100644 yml/OtherMSBinaries/Code.yml

diff --git a/yml/HonorableMentions/Code.yml b/yml/HonorableMentions/Code.yml
index 18227137..6ea99828 100644
--- a/yml/HonorableMentions/Code.yml
+++ b/yml/HonorableMentions/Code.yml
@@ -11,15 +11,6 @@ Commands:
     Privileges: User
     MitreID: T1219
     OperatingSystem: Windows 10, Windows 11
-  - Command: Code.exe
-    Description: Generate Node.JS JavaScript payload and package.json, and save to "%LOCALAPPDATA%\\Programs\\Microsoft VS Code\\\\resources\\app\\" before executing.
-    Usecase: Execute Node.JS JavaScript code
-    Category: Execute
-    Privileges: User
-    MitreID: T1218.015
-    OperatingSystem: Windows 10, Windows 11
-    Tags:
-      - Execute: Node.JS
 Full_Path:
   - Path: 'C:\Users\<username>\AppData\Local\Programs\Microsoft VS Code\Code.exe'
   - Path: C:\Program Files\Microsoft VS Code\Code.exe
@@ -28,14 +19,7 @@ Detection:
   - IOC: Websocket traffic to global.rel.tunnels.api.visualstudio.com
   - IOC: 'Process tree: code.exe -> cmd.exe -> node.exe -> winpty-agent.exe'
   - IOC: 'File write of code_tunnel.json which is parametizable, but defaults to: %UserProfile%\.vscode-cli\code_tunnel.json'
-  - IOC: "%LOCALAPPDATA%\\Programs\\Microsoft VS Code\\resources\\app directory created"
-  - IOC: "%LOCALAPPDATA%\\Programs\\Microsoft VS Code\\Code.exe file created/modified by non-Code installer/updater"
-  - Sigma: https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml
 Resources:
   - Link: https://badoption.eu/blog/2023/01/31/code_c2.html
   - Link: https://code.visualstudio.com/docs/remote/tunnels
   - Link: https://code.visualstudio.com/blogs/2022/12/07/remote-even-better
-  - Link: https://securityintelligence.com/x-force/bypassing-windows-defender-application-control-loki-c2/
-Acknowledgement:
-  - Person: Bobby Cooke
-    Handle: '@0xBoku'
diff --git a/yml/OtherMSBinaries/Code.yml b/yml/OtherMSBinaries/Code.yml
new file mode 100644
index 00000000..edef7586
--- /dev/null
+++ b/yml/OtherMSBinaries/Code.yml
@@ -0,0 +1,37 @@
+---
+Name: Code.exe
+Description: Visual Studio Code (VS Code) is a lightweight, open-source code editor with built-in debugging, Git integration, and extensive extension support.
+Author: Bobby Cooke
+Created: 2025-03-20
+Commands:
+  - Command: Code.exe
+    Description: Generate Node.JS JavaScript payload and package.json, and save to "%LOCALAPPDATA%\\Programs\\Microsoft VS Code\\\\resources\\app\\" before executing.
+    Usecase: Execute Node.JS JavaScript code
+    Category: Execute
+    Privileges: User
+    MitreID: T1218.015
+    OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: Node.JS
+Full_Path:
+  - Path: 'C:\Users\<username>\AppData\Local\Programs\Microsoft VS Code\Code.exe'
+Detection:
+  - IOC: "%LOCALAPPDATA%\\Programs\\Microsoft VS Code\\resources\\app directory created"
+  - IOC: "%LOCALAPPDATA%\\Programs\\Microsoft VS Code\\Code.exe file created/modified by non-Code installer/updater"
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml
+Resources:
+  - Link: https://securityintelligence.com/x-force/bypassing-windows-defender-application-control-loki-c2/
+Acknowledgement:
+  - Person: Bobby Cooke
+    Handle: '@0xBoku'
+  - Person: Dylan Tran
+    Handle: '@d_tranman'
+  - Person: Ellis Springe
+    Handle: '@knavesec'
+  - Person: Valentina Palmiotti
+    Handle: '@chompie1337'
+  - Person: Ruben Boonen
+    Handle: '@FuzzySec'
+  - Person: Andrew Kisliakov
+  - Person: mr.d0x
+    Handle: '@mrd0x'