legitimate use of visual studio code tunnel and running code from there

t1071
t1071.001
windows
sigma

Techniques

t1071
t1071.001

Sample rules

Visual Studio Code Tunnel Shell Execution

source: sigma
technicques:
- t1071
- t1071.001

Description

Detects the execution of a shell (powershell, bash, wsl…) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system.

Detection logic

condition: selection_parent and 1 of selection_child_*
selection_child_1:
  CommandLine|contains: \terminal\browser\media\shellIntegration.ps1
  Image|endswith:
  - \powershell.exe
  - \pwsh.exe
selection_child_2:
  Image|endswith:
  - \wsl.exe
  - \bash.exe
selection_parent:
  ParentCommandLine|contains: .vscode-server
  ParentImage|contains: \servers\Stable-
  ParentImage|endswith: \server\node.exe