Network Connection Initiated To Visual Studio Code Tunnels Domain

calendar Oct 1, 2024 · attack.exfiltration attack.t1567.001  ·
Share on: linkedin copy

Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Sigma rule (View on GitHub)

 1title: Network Connection Initiated To Visual Studio Code Tunnels Domain
 2id: 4b657234-038e-4ad5-997c-4be42340bce4
 3related:
 4    - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels
 5      type: similar
 6    - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode
 7      type: similar
 8    - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels
 9      type: similar
10status: test
11description: |
12        Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
13references:
14    - https://ipfyx.fr/post/visual-studio-code-tunnel/
15    - https://badoption.eu/blog/2023/01/31/code_c2.html
16    - https://cydefops.com/vscode-data-exfiltration
17author: Kamran Saifullah
18date: 2023-11-20
19tags:
20    - attack.exfiltration
21    - attack.t1567.001
22logsource:
23    category: network_connection
24    product: windows
25detection:
26    selection:
27        Initiated: 'true'
28        DestinationHostname|endswith: '.tunnels.api.visualstudio.com'
29    condition: selection
30falsepositives:
31    - Legitimate use of Visual Studio Code tunnel will also trigger this.
32level: medium

References

  • Blocking Visual Studio Code embedded reverse shell before it's too late

    Visual studio code tunnel Introduction Since July 2023, Microsoft is offering the perfect reverse shell, embedded inside Visual Studio Code, a widely used …


    Read More

  • Let’s Go (VS) Code - Red Team style

    Let’s Go (VS) Code - Red Team style or the Microsoft signed and hosted Reverse Shell TL;DR; MS is offering a signed binary (code.exe), which will establish a Command&Control channel via an official Microsoft domain https://vscode.dev. The C2 communication itself is going to https://global.rel.tunnels.api.visualstudio.com over WebSockets. An attacker only needs an Github account.


    Read More

  • CyDefOps - Securing the digital frontier

    Cyber Defence Operations Limited is a limited company registered in England and Wales. registered number: 12118657. Registered office: 71-75 Shelton Street, London, WC2H 9JQ.  ‘CyDefOps’ and ‘CDO’...


    Read More

Related rules

to-top