Attempt to Establish VScode Remote Tunnel

calendar Nov 4, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Command and Control Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Sysmon Data Source: SentinelOne Data Source: Microsoft Defender for Endpoint Data Source: System Data Source: Crowdstrike  ·
Share on: linkedin copy

Detects the execution of the VScode portable binary with the tunnel command line option indicating an attempt to establish a remote tunnel session to Github or a remote VScode instance.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/09/09"
 3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"]
 4maturity = "production"
 5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 6min_stack_version = "8.14.0"
 7updated_date = "2024/10/31"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Detects the execution of the VScode portable binary with the tunnel command line option indicating an
13attempt to establish a remote tunnel session to Github or a remote VScode instance.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Attempt to Establish VScode Remote Tunnel"
20references = [
21    "https://badoption.eu/blog/2023/01/31/code_c2.html",
22    "https://code.visualstudio.com/docs/remote/tunnels"
23]
24risk_score = 47
25rule_id = "0b96dfd8-5b8c-4485-9a1c-69ff7839786a"
26severity = "medium"
27tags = [
28    "Domain: Endpoint",
29    "OS: Windows",
30    "Use Case: Threat Detection",
31    "Tactic: Command and Control",
32    "Data Source: Elastic Endgame",
33    "Data Source: Elastic Defend",
34    "Data Source: Sysmon",
35    "Data Source: SentinelOne",
36    "Data Source: Microsoft Defender for Endpoint",
37    "Data Source: System",
38    "Data Source: Crowdstrike",
39]
40timestamp_override = "event.ingested"
41type = "eql"
42
43query = '''
44process where host.os.type == "windows" and event.type == "start" and
45  process.args : "tunnel" and (process.args : "--accept-server-license-terms" or process.name : "code*.exe") and 
46  not (process.name == "code-tunnel.exe" and process.args == "status" and process.parent.name == "Code.exe")
47'''
48
49
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52[[rule.threat.technique]]
53id = "T1219"
54name = "Remote Access Software"
55reference = "https://attack.mitre.org/techniques/T1219/"
56
57
58[rule.threat.tactic]
59id = "TA0011"
60name = "Command and Control"
61reference = "https://attack.mitre.org/tactics/TA0011/"

References

  • Let’s Go (VS) Code - Red Team style

    Let’s Go (VS) Code - Red Team style or the Microsoft signed and hosted Reverse Shell TL;DR; MS is offering a signed binary (code.exe), which will establish a Command&Control channel via an official Microsoft domain https://vscode.dev. The C2 communication itself is going to https://global.rel.tunnels.api.visualstudio.com over WebSockets. An attacker only needs an Github account.


    Read More

  • Remote Tunnels

    Using the Visual Studio Code Remote Tunnels extension


    Read More

Related rules

to-top