LoFP / legitimate installation of code-tunnel as a service

Techniques

• t1071
• t1071.001

Sample rules

Visual Studio Code Tunnel Service Installation

• source: sigma
• technicques:
  • t1071
  • t1071.001

Description

Detects the installation of VsCode tunnel (code-tunnel) as a service.

Detection logic

condition: selection
selection:
  CommandLine|contains|all:
  - 'tunnel '
  - service
  - internal-run
  - tunnel-service.log