Visual Studio Code Tunnel Remote File Creation
Detects the creation of file by the "node.exe" process in the ".vscode-server" directory. Could be a sign of remote file creation via VsCode tunnel feature
Sigma rule (View on GitHub)
1title: Visual Studio Code Tunnel Remote File Creation
2id: 56e05d41-ce99-4ecd-912d-93f019ee0b71
3status: test
4description: |
5 Detects the creation of file by the "node.exe" process in the ".vscode-server" directory. Could be a sign of remote file creation via VsCode tunnel feature
6references:
7 - Internal Research
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023-10-25
10tags:
11 - attack.command-and-control
12logsource:
13 category: file_event
14 product: windows
15detection:
16 selection:
17 Image|contains: '\servers\Stable-'
18 Image|endswith: '\server\node.exe'
19 TargetFilename|contains: '\.vscode-server\data\User\History\'
20 condition: selection
21falsepositives:
22 - Unknown
23level: medium
References
Related rules
- DarkGate - Autoit3.EXE File Creation By Uncommon Process
- Diamond Sleet APT DNS Communication Indicators
- File Download From IP Based URL Via CertOC.EXE
- Renamed VsCode Code Tunnel Execution - File Indicator
- Visual Studio Code Tunnel Execution