Visual Studio Code Tunnel Shell Execution

calendar Oct 28, 2023 · attack.command_and_control attack.t1071.001  ·
Share on: linkedin copy

Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system.

Sigma rule (View on GitHub)

 1title: Visual Studio Code Tunnel Shell Execution
 2id: f4a623c2-4ef5-4c33-b811-0642f702c9f1
 3status: experimental
 4description: Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system.
 5references:
 6    - https://ipfyx.fr/post/visual-studio-code-tunnel/
 7    - https://badoption.eu/blog/2023/01/31/code_c2.html
 8    - https://code.visualstudio.com/docs/remote/tunnels
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2023/10/25
11tags:
12    - attack.command_and_control
13    - attack.t1071.001
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_parent:
19        ParentImage|contains: '\servers\Stable-'
20        ParentImage|endswith: '\server\node.exe'
21        ParentCommandLine|contains: '.vscode-server' # Technically one can host its own local server instead of using the VsCode one. And that would probably change the name (requires further research)
22    # Note: Child processes (ie: shells) can be whatever technically (with some efforts)
23    selection_child_1:
24        Image|endswith:
25            - '\powershell.exe'
26            - '\pwsh.exe'
27        CommandLine|contains: '\terminal\browser\media\shellIntegration.ps1'
28    selection_child_2:
29        Image|endswith:
30            - '\wsl.exe'
31            - '\bash.exe'
32    condition: selection_parent and 1 of selection_child_*
33falsepositives:
34    - Legitimate use of Visual Studio Code tunnel and running code from there
35level: medium

References

  • Blocking Visual Studio Code embedded reverse shell before it's too late

    Visual studio code tunnel Introduction Since July 2023, Microsoft is offering the perfect reverse shell, embedded inside Visual Studio Code, a widely used …


    Read More

  • Let’s Go (VS) Code - Red Team style

    Let’s Go (VS) Code - Red Team style or the Microsoft signed and hosted Reverse Shell TL;DR; MS is offering a signed binary (code.exe), which will establish a Command&Control channel via an official Microsoft domain https://vscode.dev. The C2 communication itself is going to https://global.rel.tunnels.api.visualstudio.com over WebSockets. An attacker only needs an Github account.


    Read More

  • Remote Tunnels

    Using the Visual Studio Code Remote Tunnels extension


    Read More

Related rules

to-top