This detection targets Windows endpoints for suspicious process starts where the parent is the VS Code extension host (path contains .vscode/extensions or /vscode/extensions). It flags when the child process is a command/interpreter or downloader such as cmd.exe, powershell.exe, pwsh.exe, curl.exe, bitsadmin.exe, wscript/cscript, mshta, node.exe, rundll32.exe, msiexec, etc., or when a recently created executable is dropped from a non‑Program Files path (Ext.relative_file_creation_time <= 500). The rule covers both script/LOLBin-based child executions and newly created payloads associated with extensions that run at startup (e.g., activationEvents: ["onStartupFinished"]). It includes exclusions for known benign commands (e.g., npm config Get prefix, code -v) and Python extension contexts to reduce noise. The intended outcome is to surface payload drop or execution initiated by malicious VS Code extensions, such as RATs or downloaders, at startup, and to prompt further investigation of the extension, its origin, and any network/file activity. Triage steps emphasize extracting the extension identifier from the parent path, verifying extension authenticity against marketplaces/internal registries, inspecting child processes and command lines, and correlating with network indicators (C2 domains, downloads) and known IOCs (e.g., Fake Clawdbot). False positives may arise from legitimate extension tooling or extension development scenarios; mitigation includes excluding known extension IDs or requiring additional corroborating signals. Remediation involves removing the suspicious extension, rebooting VS Code, removing any payload artifacts, blocking associated IOCs, and rotating exposed secrets if needed.