Threat Huntmediumtest

VsCode Code Tunnel Execution File Indicator

Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility. Attackers can abuse this functionality to establish a C2 channel

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Wed Oct 259661ec9d-4439-4a7a-abed-d9be4ca43b6dwindows

Hunting Hypothesis

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetFilename|endswith: '\code_tunnel.json'
    condition: selection

False Positives

Legitimate usage of VsCode tunneling functionality will also trigger this

References

MITRE ATT&CK

Tactics

TA0011 · Command and Control

Other

detection.threat-hunting

Rule Metadata

Rule ID

9661ec9d-4439-4a7a-abed-d9be4ca43b6d

Status

test

Level

medium

Type

Threat Hunt

Created

Wed Oct 25

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules-threat-hunting/windows/file/file_event/file_event_win_vscode_tunnel_indicators.yml

Raw Tags

attack.command-and-controldetection.threat-hunting

View on GitHub