Query Details

Rule : Detection of Suspicious Visual Studio DevTunnels Communication

Dev Tunnelnetworkdetection

Query

DeviceNetworkEvents
| where RemoteUrl endswith "tunnels.api.visualstudio.com" or RemoteUrl endswith "devtunnels.ms"
| where InitiatingProcessVersionInfoOriginalFileName != @"ServiceHub.Host.dotnet.x64.dll" 
| where InitiatingProcessVersionInfoFileDescription != @"ServiceHub.Host.dotnet.arm64"

About this query

Explanation

This query is designed to detect suspicious network communications involving Visual Studio's DevTunnels feature, which is used for secure remote connections and debugging. The query specifically looks for network events where the destination URL ends with tunnels.api.visualstudio.com or devtunnels.ms. It excludes legitimate Visual Studio processes (ServiceHub.Host.dotnet.x64.dll or ServiceHub.Host.dotnet.arm64) to focus on potentially unauthorized or malicious activity. By monitoring these criteria, the query aims to identify unusual or suspicious use of DevTunnels that could indicate unauthorized remote access or data exfiltration.

Details

Ali Hussein profile picture

Ali Hussein

Released: September 9, 2024

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsRemoteUrlInitiatingProcessVersionInfoOriginalFileNameInitiatingProcessVersionInfoFileDescription

Operators

endswithor!=|

Actions

GitHub