Visual Studio Code Tunnel Execution

Severity: medium
Author: Nasreddine Bencherchali (Nextron Systems), citron_ninja
Source: upstream

Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel

MITRE ATT&CK coverage

Tactic	Techniques
Command & Control	`T1071.001` Application Layer Protocol: Web Protocols, `T1219` Remote Access Tools

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `1 of selection_only_tunnel`

CommandLine|endswith: '.exe tunnel'
OriginalFileName: null

Stage 2: `1 of selection_tunnel_args`

CommandLine|contains: --accept-server-license-terms
CommandLine|contains: '.exe tunnel'

Stage 3: `1 of selection_parent_tunnel`

CommandLine|contains: '/d /c '
CommandLine|contains: '\servers\Stable-'
CommandLine|contains: code-server.cmd
Image|endswith: '\cmd.exe'
ParentCommandLine|endswith: ' tunnel'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	ends_with	`.exe tunnel` corpus 2 (sigma 2)
`CommandLine`	match	`--accept-server-license-terms` corpus 3 (sigma 3) `.exe tunnel` corpus 2 (sigma 2) `/d /c` corpus 2 (sigma 2) `\servers\Stable-` corpus 2 (sigma 2) `code-server.cmd` corpus 2 (sigma 2)
`Image`	ends_with	`\cmd.exe` corpus 92 (sigma 92)
`ParentCommandLine`	ends_with	`tunnel` corpus 2 (sigma 2)