Renamed Visual Studio Code Tunnel Execution

 1title: Renamed Visual Studio Code Tunnel Execution
 2id: 2cf29f11-e356-4f61-98c0-1bdb9393d6da
 3status: test
 4description: Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
 5references:
 6    - https://ipfyx.fr/post/visual-studio-code-tunnel/
 7    - https://badoption.eu/blog/2023/01/31/code_c2.html
 8    - https://code.visualstudio.com/docs/remote/tunnels
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2023-09-28
11tags:
12    - attack.command-and-control
13    - attack.t1071.001
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_image_only_tunnel:
19        OriginalFileName: null
20        CommandLine|endswith: '.exe tunnel'
21    selection_image_tunnel_args:
22        CommandLine|contains|all:
23            - '.exe tunnel'
24            - '--name '
25            - '--accept-server-license-terms'
26    selection_image_tunnel_service:
27        CommandLine|contains|all:
28            - 'tunnel '
29            - 'service'
30            - 'internal-run'
31            - 'tunnel-service.log'
32    selection_parent_tunnel:
33        ParentCommandLine|endswith: ' tunnel'
34        Image|endswith: '\cmd.exe'
35        CommandLine|contains|all:
36            - '/d /c '
37            - '\servers\Stable-'
38            - 'code-server.cmd'
39    filter_main_parent_code:
40        ParentImage|endswith:
41            - '\code-tunnel.exe'
42            - '\code.exe'
43    filter_main_image_code:
44        Image|endswith:
45            - '\code-tunnel.exe'
46            - '\code.exe'
47    condition: (1 of selection_image_* and not 1 of filter_main_image_*) or (selection_parent_tunnel and not 1 of filter_main_parent_*)
48falsepositives:
49    - Unknown
50level: high

References

• Blocking Visual Studio Code embedded reverse shell before it's too late

  

  Visual studio code tunnel Introduction Since July 2023, Microsoft is offering the perfect reverse shell, embedded inside Visual Studio Code, a widely used …

  
  Read More

• Let’s Go (VS) Code - Red Team style

  

  Let’s Go (VS) Code - Red Team style or the Microsoft signed and hosted Reverse Shell TL;DR; MS is offering a signed binary (code.exe), which will establish a Command&Control channel via an official Microsoft domain https://vscode.dev. The C2 communication itself is going to https://global.rel.tunnels.api.visualstudio.com over WebSockets. An attacker only needs an Github account.

  
  Read More

• Remote Tunnels

  

  Using the Visual Studio Code Remote Tunnels extension

  
  Read More

Related rules

• APT User Agent
• APT40 Dropbox Tool User Agent
• Bitsadmin to Uncommon IP Server Address
• Bitsadmin to Uncommon TLD
• Chafer Malware URL Pattern