title: PE File Execution via Vsjitdebugger
id: 4b51f73f-1583-4202-a8e0-2d4bbf4beeee
status: experimental
description: Detects the execution of Vsjitdebugger tool as parent process which is utilized like proxy for other PE files executions.
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/
author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative' 
date: 2020/10/08
tags:
    - attack.defense_evasion
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
       ParentImage|endswith: '\vsjitdebugger.exe'
    condition: selection
falsepositives:
    - Legitimate usage of software developer/tester 
level: medium