Detectionmediumtest
Visual Studio Code Tunnel Execution
Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems), citron_ninjaCreated Wed Oct 25Updated Wed Oct 2990d6bd71-dffb-4989-8d86-a827fedd6624windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic3 selectors
detection:
selection_only_tunnel:
OriginalFileName: null
CommandLine|endswith: '.exe tunnel'
selection_tunnel_args:
CommandLine|contains|all:
- '.exe tunnel'
- '--accept-server-license-terms'
selection_parent_tunnel:
ParentCommandLine|endswith: ' tunnel'
Image|endswith: '\cmd.exe'
CommandLine|contains|all:
- '/d /c '
- '\servers\Stable-'
- 'code-server.cmd'
condition: 1 of selection_*False Positives
Legitimate use of Visual Studio Code tunnel
MITRE ATT&CK
Tactics
Techniques
Sub-techniques
Rule Metadata
Rule ID
90d6bd71-dffb-4989-8d86-a827fedd6624
Status
test
Level
medium
Type
Detection
Created
Wed Oct 25
Modified
Wed Oct 29
Path
rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml
Raw Tags
attack.command-and-controlattack.t1071.001attack.t1219