Network Connection Initiated To DevTunnels Domain
Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Events for outbound and inbound network connections including DNS resolution.
detection:
selection:
Initiated: 'true'
DestinationHostname|endswith: '.devtunnels.ms'
condition: selectionLegitimate use of Devtunnels will also trigger this.
Techniques
Sub-techniques
Network Connection Initiated To Visual Studio Code Tunnels Domain
Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Detects similar activity. Both rules may fire on overlapping events.
DNS Query To Visual Studio Code Tunnels Domain
Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Detects similar activity. Both rules may fire on overlapping events.
DNS Query To Devtunnels Domain
Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Detects similar activity. Both rules may fire on overlapping events.