Techniques
Sample rules
Network Connection Initiated To Visual Studio Code Tunnels Domain
- source: sigma
- technicques:
- t1567
- t1567.001
Description
Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Detection logic
condition: selection
selection:
DestinationHostname|endswith: .tunnels.api.visualstudio.com
Initiated: 'true'
DNS Query To Visual Studio Code Tunnels Domain
- source: sigma
- technicques:
- t1071
- t1071.001
Description
Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Detection logic
condition: selection
selection:
QueryName|endswith: .tunnels.api.visualstudio.com