Detectionhightest
Renamed VsCode Code Tunnel Execution - File Indicator
Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" other than VsCode.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Wed Oct 25d102b8f5-61dc-4e68-bd83-9a3187c67377windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event
Events for file system activity including creation, modification, and deletion.
Detection Logic
Detection Logic2 selectors
detection:
selection:
TargetFilename|endswith: '\code_tunnel.json'
filter_main_legit_name:
# Note: There might be other legitimate names for VsCode. Please add them if found
Image|endswith:
- '\code-tunnel.exe'
- '\code.exe'
condition: selection and not 1 of filter_main_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Tactics
Rule Metadata
Rule ID
d102b8f5-61dc-4e68-bd83-9a3187c67377
Status
test
Level
high
Type
Detection
Created
Wed Oct 25
Path
rules/windows/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml
Raw Tags
attack.command-and-control