This artifact parses VSCode configuration files to find potenital persistence.
Terminal Profiles via settings.json
Visual Studio tasks via tasks.json
The artifact has configurable options to Include all tasks and settings for visibility.
NOTE: experimental - additional research may include Visual Studio Code Extensions
name: Windows.Persistence.VscodeTasks
author: Matt Green - @mgreen27
description: |
This artifact parses VSCode configuration files to find potenital
persistence.
Terminal Profiles via settings.json
Visual Studio tasks via tasks.json
The artifact has configurable options to Include all tasks and settings for
visibility.
NOTE: experimental - additional research may include Visual Studio Code Extensions
reference:
- https://twitter.com/nas_bench/status/1618021415852335105
- https://twitter.com/nas_bench/status/1618021838407495681
type: CLIENT
parameters:
- name: IncludeAllTasks
type: bool
- name: IncludeAllSettings
type: bool
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
SELECT
OSPath,
FileSize,
FileName,
parse_json(data=regex_replace(source=read_file(filename=OSPath) , re='''//.+\n''', replace='')) As Parsed,
dict(
Created0x10=Created0x10,
Created0x30=Created0x30,
LastModified0x10=LastModified0x10,
LastModified0x30=LastModified0x30,
LastRecordChange0x10=LastRecordChange0x10,
LastRecordChange0x30=LastRecordChange0x30,
LastAccess0x10=LastAccess0x10,
LastAccess0x30=LastAccess0x30
) as Timestamps
FROM Artifact.Windows.NTFS.MFT(FileRegex='^(settings|tasks)\.json$',PathRegex='vscode')
WHERE
if(condition=IncludeAllTasks,
then= FileName='tasks.json',
else= Parsed.settings.`task.allowAutomaticTasks` = 'on' )
OR if(condition=IncludeAllSettings,
then= FileName='settings.json',
else= Parsed.settings.`terminal.integrated.defaultprofile.windows` )