legitimate use of visual studio code tunnel

t1071
t1071.001
windows
sigma

Techniques

t1071
t1071.001

Sample rules

Visual Studio Code Tunnel Execution

source: sigma
technicques:
- t1071
- t1071.001

Description

Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel

Detection logic

condition: 1 of selection_*
selection_only_tunnel:
  CommandLine|endswith: .exe tunnel
  OriginalFileName: null
selection_parent_tunnel:
  CommandLine|contains|all:
  - '/d /c '
  - \servers\Stable-
  - code-server.cmd
  Image|endswith: \cmd.exe
  ParentCommandLine|endswith: ' tunnel'
selection_tunnel_args:
  CommandLine|contains|all:
  - .exe tunnel
  - '--name '
  - --accept-server-license-terms