Visual Studio Code Tunnel Execution

 1title: Visual Studio Code Tunnel Execution
 2id: 90d6bd71-dffb-4989-8d86-a827fedd6624
 3status: experimental
 4description: Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
 5references:
 6    - https://ipfyx.fr/post/visual-studio-code-tunnel/
 7    - https://badoption.eu/blog/2023/01/31/code_c2.html
 8    - https://code.visualstudio.com/docs/remote/tunnels
 9author: Nasreddine Bencherchali (Nextron Systems), citron_ninja
10date: 2023/10/25
11tags:
12    - attack.command_and_control
13    - attack.t1071.001
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_only_tunnel:
19        OriginalFileName: null
20        CommandLine|endswith: '.exe tunnel'
21    selection_tunnel_args:
22        CommandLine|contains|all:
23            - '.exe tunnel'
24            - '--name '
25            - '--accept-server-license-terms'
26    selection_parent_tunnel:
27        ParentCommandLine|endswith: ' tunnel'
28        Image|endswith: '\cmd.exe'
29        CommandLine|contains|all:
30            - '/d /c '
31            - '\servers\Stable-'
32            - 'code-server.cmd'
33    condition: 1 of selection_*
34falsepositives:
35    - Legitimate use of Visual Studio Code tunnel
36level: medium

References

• Blocking Visual Studio Code embedded reverse shell before it's too late

  

  Visual studio code tunnel Introduction Since July 2023, Microsoft is offering the perfect reverse shell, embedded inside Visual Studio Code, a widely used …

  
  Read More

• Let’s Go (VS) Code - Red Team style

  

  Let’s Go (VS) Code - Red Team style or the Microsoft signed and hosted Reverse Shell TL;DR; MS is offering a signed binary (code.exe), which will establish a Command&Control channel via an official Microsoft domain https://vscode.dev. The C2 communication itself is going to https://global.rel.tunnels.api.visualstudio.com over WebSockets. An attacker only needs an Github account.

  
  Read More

• Remote Tunnels

  

  Using the Visual Studio Code Remote Tunnels extension

  
  Read More

Related rules

• Renamed Visual Studio Code Tunnel Execution
• Visual Studio Code Tunnel Service Installation
• Visual Studio Code Tunnel Shell Execution
• Suspicious User Agent
• Suspicious Curl Change User Agents - Linux