Rule : Visual Studio Code Tunnel Abuse Detection
Devtunnelcodetunneling
Query
DeviceProcessEvents
| where (ProcessVersionInfoProductName == @"Visual Studio Code" and ProcessCommandLine contains "tunnel" )
or ProcessCommandLine has_all ("host", "allow-anonymous")
or ProcessCommandLine has_all ("port", "create", "-p")About this query
Explanation
This query is designed to detect potentially malicious use of the "tunnel" feature in Visual Studio Code (VSCode). Attackers might use this feature to create unauthorized connections and bypass network restrictions, which can be part of espionage activities like the Stately Taurus campaign.
Key Points:
- Purpose: Identify suspicious VSCode tunnel usage that could indicate malicious activity.
- What it Monitors:
- Processes where the product name is "Visual Studio Code" and the command line includes "tunnel".
- Command lines that include:
- "host" and "allow-anonymous"
- "port" and "create" with a
-pflag for specifying ports
- Context: This method has been used in espionage campaigns targeting organizations, particularly in Southeast Asia.
Detection Logic:
- The query looks at
DeviceProcessEventsto find:- Processes related to VSCode with "tunnel" in the command line.
- Command lines that include both "host" and "allow-anonymous".
- Command lines that include "port", "create", and the
-pflag.
Tags:
- Process Execution
- Tunneling
- DevTunnels
- Visual Studio Code
- Espionage
Search Query:
DeviceProcessEvents
| where (ProcessVersionInfoProductName == @"Visual Studio Code" and ProcessCommandLine contains "tunnel" )
or ProcessCommandLine has_all ("host", "allow-anonymous")
or ProcessCommandLine has_all ("port", "create", "-p")
In simple terms, this query helps detect if someone is using VSCode's tunnel feature in a way that might be suspicious or unauthorized, potentially indicating a security threat.
Details

Ali Hussein
Released: September 9, 2024
Tables
DeviceProcessEvents
Keywords
Devices
Operators
==containsorhas_all