LoFP / legitimate use of visual studio code tunnel will also trigger this.

Techniques

• t1071
• t1071.001
• t1567
• t1567.001

Sample rules

DNS Query To Visual Studio Code Tunnels Domain

• source: sigma
• technicques:
  • t1071
  • t1071.001

Description

Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Detection logic

condition: selection
selection:
  QueryName|endswith: .tunnels.api.visualstudio.com

Network Connection Initiated To Visual Studio Code Tunnels Domain

• source: sigma
• technicques:
  • t1567
  • t1567.001

Description

Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Detection logic

condition: selection
selection:
  DestinationHostname|endswith: .tunnels.api.visualstudio.com
  Initiated: 'true'