.. /VSDiagnostics.exe
Star

Execute

Command-line tool used for performing diagnostics.

Paths:

C:\Program Files\Microsoft Visual Studio\2022\Community\Team Tools\DiagnosticsHub\Collector\VSDiagnostics.exe

Resources:

https://twitter.com/0xBoku/status/1679200664013135872

Acknowledgements:

Bobby Cooke (@0xBoku)

Detection:

Sigma: https://github.com/tsale/Sigma_rules/blob/d5b4a09418edfeeb3a2d654f556d5bca82003cd7/LOL_BINs/VSDiagnostics_LoLBin.yml

Execute

Starts a collection session with sessionID 1 and calls kernelbase.CreateProcessW to launch specified executable.

VSDiagnostics.exe start 1 /launch:calc.exe

Usecase: Proxy execution of binary
Privileges required: User
OS: Windows 10, Windows 11
MITRE ATT&CK®: T1127

Starts a collection session with sessionID 2 and calls kernelbase.CreateProcessW to launch specified executable. Arguments specified in launchArgs are passed to CreateProcessW.

VSDiagnostics.exe start 2 /launch:cmd.exe /launchArgs:"/c calc.exe"

Usecase: Proxy execution of binary with arguments
Privileges required: User
OS: Windows 10, Windows 11
MITRE ATT&CK®: T1127

.. /VSDiagnostics.exe Star

Execute

.. /VSDiagnostics.exe
Star