DNS Query To Visual Studio Code Tunnels Domain

Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Sigma rule (View on GitHub)

 1title: DNS Query To Visual Studio Code Tunnels Domain
 2id: b3e6418f-7c7a-4fad-993a-93b65027a9f1
 3related:
 4    - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels
 5      type: similar
 6    - id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode
 7      type: similar
 8    - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels
 9      type: similar
10status: test
11description: |
12        Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
13references:
14    - https://ipfyx.fr/post/visual-studio-code-tunnel/
15    - https://badoption.eu/blog/2023/01/31/code_c2.html
16    - https://cydefops.com/vscode-data-exfiltration
17author: citron_ninja
18date: 2023-10-25
19modified: 2023-11-20
20tags:
21    - attack.command-and-control
22    - attack.t1071.001
23logsource:
24    category: dns_query
25    product: windows
26detection:
27    selection:
28        QueryName|endswith: '.tunnels.api.visualstudio.com'
29    condition: selection
30falsepositives:
31    - Legitimate use of Visual Studio Code tunnel will also trigger this.
32level: medium

References

Related rules

to-top