Network Connection Initiated To DevTunnels Domain
Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Sigma rule (View on GitHub)
1title: Network Connection Initiated To DevTunnels Domain
2id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4
3related:
4 - id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode
5 type: similar
6 - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode
7 type: similar
8 - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels
9 type: similar
10status: experimental
11description: |
12 Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
13references:
14 - https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2
15 - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security
16 - https://cydefops.com/devtunnels-unleashed
17author: Kamran Saifullah
18date: 2023/11/20
19tags:
20 - attack.exfiltration
21 - attack.t1567.001
22logsource:
23 category: network_connection
24 product: windows
25detection:
26 selection:
27 Initiated: 'true'
28 DestinationHostname|endswith: '.devtunnels.ms'
29 condition: selection
30falsepositives:
31 - Legitimate use of Devtunnels will also trigger this.
32level: medium
References
-
-
-
Cyber Defence Operations Limited is a limited company registered in England and Wales. registered number: 12118657. Registered office: 71-75 Shelton Street, London, WC2H 9JQ. ‘CyDefOps’ and ‘CDO’...
Read More
Related rules
- Network Connection Initiated To Mega.nz
- Process Initiated Network Connection To Ngrok Domain
- Network Connection Initiated To Visual Studio Code Tunnels Domain
- Communication To Ngrok Tunneling Service Initiated
- Active Directory Structure Export Via Ldifde.EXE