Query Details

Rule : Visual Studio Code Tunnel Abuse Detection

Devtunnelcodetunneling

Query

DeviceProcessEvents
| where (ProcessVersionInfoProductName == @"Visual Studio Code" and ProcessCommandLine contains "tunnel" )
or ProcessCommandLine has_all ("host", "allow-anonymous") 
or ProcessCommandLine has_all ("port", "create", "-p")

About this query

Explanation

This query is designed to detect potentially malicious use of the "tunnel" feature in Visual Studio Code (VSCode). Attackers might use this feature to create unauthorized connections and bypass network restrictions, which can be part of espionage activities like the Stately Taurus campaign.

Key Points:

  1. Purpose: Identify suspicious VSCode tunnel usage that could indicate malicious activity.
  2. What it Monitors:
    • Processes where the product name is "Visual Studio Code" and the command line includes "tunnel".
    • Command lines that include:
      • "host" and "allow-anonymous"
      • "port" and "create" with a -p flag for specifying ports
  3. Context: This method has been used in espionage campaigns targeting organizations, particularly in Southeast Asia.

Detection Logic:

  • The query looks at DeviceProcessEvents to find:
    • Processes related to VSCode with "tunnel" in the command line.
    • Command lines that include both "host" and "allow-anonymous".
    • Command lines that include "port", "create", and the -p flag.

Tags:

  • Process Execution
  • Tunneling
  • DevTunnels
  • Visual Studio Code
  • Espionage

Search Query:

DeviceProcessEvents
| where (ProcessVersionInfoProductName == @"Visual Studio Code" and ProcessCommandLine contains "tunnel" )
or ProcessCommandLine has_all ("host", "allow-anonymous") 
or ProcessCommandLine has_all ("port", "create", "-p")

In simple terms, this query helps detect if someone is using VSCode's tunnel feature in a way that might be suspicious or unauthorized, potentially indicating a security threat.

Details

Ali Hussein profile picture

Ali Hussein

Released: September 9, 2024

Tables

DeviceProcessEvents

Keywords

Devices

Operators

==containsorhas_all

Actions

GitHub