legitimate use of devtunnels will also trigger this.

t1071
t1071.001
t1567
t1567.001
windows
sigma

Techniques

t1071
t1071.001
t1567
t1567.001

Sample rules

DNS Query To Devtunnels Domain

source: sigma
technicques:
- t1071
- t1071.001

Description

Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Detection logic

condition: selection
selection:
  QueryName|endswith: .devtunnels.ms

Network Connection Initiated To DevTunnels Domain

source: sigma
technicques:
- t1567
- t1567.001

Description

Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Detection logic

condition: selection
selection:
  DestinationHostname|endswith: .devtunnels.ms
  Initiated: 'true'