DNS Query To Visual Studio Code Tunnels Domain
Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
DNS lookup events generated by endpoint monitoring tools.
detection:
selection:
QueryName|endswith: '.tunnels.api.visualstudio.com'
condition: selectionLegitimate use of Visual Studio Code tunnel will also trigger this.
Tactics
Sub-techniques
Network Connection Initiated To DevTunnels Domain
Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Detects similar activity. Both rules may fire on overlapping events.
Network Connection Initiated To Visual Studio Code Tunnels Domain
Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Detects similar activity. Both rules may fire on overlapping events.
DNS Query To Devtunnels Domain
Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Detects similar activity. Both rules may fire on overlapping events.