Rule : Detection of Suspicious Visual Studio DevTunnels Communication
Dev Tunnelnetworkdetection
Query
DeviceNetworkEvents
| where RemoteUrl endswith "tunnels.api.visualstudio.com" or RemoteUrl endswith "devtunnels.ms"
| where InitiatingProcessVersionInfoOriginalFileName != @"ServiceHub.Host.dotnet.x64.dll"
| where InitiatingProcessVersionInfoFileDescription != @"ServiceHub.Host.dotnet.arm64"About this query
Explanation
This query is designed to detect suspicious network communications involving Visual Studio's DevTunnels feature, which is used for secure remote connections and debugging. The query specifically looks for network events where the destination URL ends with tunnels.api.visualstudio.com or devtunnels.ms. It excludes legitimate Visual Studio processes (ServiceHub.Host.dotnet.x64.dll or ServiceHub.Host.dotnet.arm64) to focus on potentially unauthorized or malicious activity. By monitoring these criteria, the query aims to identify unusual or suspicious use of DevTunnels that could indicate unauthorized remote access or data exfiltration.
Details

Ali Hussein
Released: September 9, 2024
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEventsRemoteUrlInitiatingProcessVersionInfoOriginalFileNameInitiatingProcessVersionInfoFileDescription
Operators
endswithor!=|