Attempt to Establish VScode Remote Tunnel
Detects the execution of the VScode portable binary with the tunnel command line option indicating an attempt to establish a remote tunnel session to Github or a remote VScode instance.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/09/09"
3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
6min_stack_version = "8.14.0"
7updated_date = "2024/10/17"
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects the execution of the VScode portable binary with the tunnel command line option indicating an
13attempt to establish a remote tunnel session to Github or a remote VScode instance.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Attempt to Establish VScode Remote Tunnel"
20references = [
21 "https://badoption.eu/blog/2023/01/31/code_c2.html",
22 "https://code.visualstudio.com/docs/remote/tunnels"
23]
24risk_score = 47
25rule_id = "0b96dfd8-5b8c-4485-9a1c-69ff7839786a"
26severity = "medium"
27tags = [
28 "Domain: Endpoint",
29 "OS: Windows",
30 "Use Case: Threat Detection",
31 "Tactic: Command and Control",
32 "Data Source: Elastic Endgame",
33 "Data Source: Elastic Defend",
34 "Data Source: Sysmon",
35 "Data Source: SentinelOne",
36 "Data Source: Microsoft Defender for Endpoint",
37 "Data Source: System",
38]
39timestamp_override = "event.ingested"
40type = "eql"
41
42query = '''
43process where host.os.type == "windows" and event.type == "start" and
44 process.args : "tunnel" and (process.args : "--accept-server-license-terms" or process.name : "code*.exe") and
45 not (process.name == "code-tunnel.exe" and process.args == "status" and process.parent.name == "Code.exe")
46'''
47
48
49[[rule.threat]]
50framework = "MITRE ATT&CK"
51[[rule.threat.technique]]
52id = "T1219"
53name = "Remote Access Software"
54reference = "https://attack.mitre.org/techniques/T1219/"
55
56
57[rule.threat.tactic]
58id = "TA0011"
59name = "Command and Control"
60reference = "https://attack.mitre.org/tactics/TA0011/"
References
Related rules
- Suspicious ScreenConnect Client Child Process
- Potential DNS Tunneling via NsLookup
- Potential File Download via a Headless Browser
- Potential File Transfer via Certreq
- Remote File Download via Desktopimgdownldr Utility