Detection rules › Sigma
Renamed Visual Studio Code Tunnel Execution
Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Command & Control | T1071.001 Application Layer Protocol: Web Protocols, T1219 Remote Access Tools |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: 1 of selection_image_only_tunnel
CommandLine|endswith: '.exe tunnel'
OriginalFileName: null
Stage 2: 1 of selection_image_tunnel_args
CommandLine|contains: --accept-server-license-terms
CommandLine|contains: '.exe tunnel'
Stage 3: 1 of selection_image_tunnel_service
CommandLine|contains: internal-run
CommandLine|contains: service
CommandLine|contains: 'tunnel '
CommandLine|contains: tunnel-service.log
Stage 4: not 1 of filter_main_image_code
or:
Image|endswith: '\code-tunnel.exe'
Image|endswith: '\code.exe'
Stage 5: selection_parent_tunnel
CommandLine|contains: '/d /c '
CommandLine|contains: '\servers\Stable-'
CommandLine|contains: code-server.cmd
Image|endswith: '\cmd.exe'
ParentCommandLine|endswith: ' tunnel'
Stage 6: not 1 of filter_main_parent_code
or:
ParentImage|endswith: '\code-tunnel.exe'
ParentImage|endswith: '\code.exe'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | ends_with |
|
CommandLine | match |
|
Image | ends_with |
|
ParentCommandLine | ends_with |
|
ParentImage | ends_with |
|