---
Name: vsls-agent.exe
Description: Agent for Visual Studio Live Share (Code Collaboration)
Author: Jimmy (@bohops)
Created: 2022-11-01
Commands:
  - Command: vsls-agent.exe --agentExtensionPath c:\path\to\payload.dll
    Description: Load a library payload using the --agentExtensionPath parameter (32-bit)
    Usecase: Execute proxied payload with Microsoft signed binary
    Category: Execute
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows 10 21H2 (likely previous and newer versions with modern versions of Visual Studio installed)
Full_Path:
  - Path: c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\Extensions\Microsoft\LiveShare\Agent\vsls-agent.exe
Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yml
Resources:
  - Link: https://twitter.com/bohops/status/1583916360404729857
Acknowledgement:
  - Person: Jimmy
    Handle: '@bohops'