Detecting New VSCode Extensions
The Problem
Do developers at your organization utilize VSCode and have free rein to do whatever they want? Then this article is for you! With the recent uptick in supply chain attacks targeting VSCode extensions 1, I decided to figure out how to baseline and detect new extension installations.
Detection
VSCode extensions are typically installed in the user's directory located at C:\Users\$user$\.vscode\extensions. You will need process logs of some variety such as sysmon or your EDR solution. To inventory we search any process path or parent process path that contains \.vscode\extensions\. The format of each extension install within the extensions folder is $developer$.$extension_name$-$version$. For example, the full path for the Docker extension is C:\Users\user\.vscode\extensions\docker.docker-0.4.9-win32-x64\. I recommend querying for anything in this directory and regexing/parsing the developer + extension name to write to a list. Once you have a list of current extensions in your environment, you can alert on any new extensions or developers for your security team to review.
Conclusion and Real Solution
Building a detection like this is fun and all, but the real solution is to implement a GPO or another device management solution to manage the extensions.allowed configuration 2. This allows organizations to manage what extensions can be installed in their environment.