Network Connection Initiated To Visual Studio Code Tunnels Domain

Rule Info

Name
Network Connection Initiated To Visual Studio Code Tunnels Domain
Author
Kamran Saifullah
Description
Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Reference
https://ipfyx.fr/post/visual-studio-code-tunnel/
Date
2023-11-20 00:00:00
Modified
None
Id
4b657234-038e-4ad5-997c-4be42340bce4
Tags
attack.exfiltration attack.t1567.001
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=4b657234-038e-4ad5-997c-4be42340bce4

Rule History

Author
Title
Date
Commit
github-actions[bot]
Merge PR #5027 from @nasbench - Promote older rules status from `experimental` to `test`
2024-10-01
08c52c367
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
Florian Roth
Merge PR #4866 from @Neo23x0 - Update network connection rules
2024-05-31
2bf502fb9
Kamran Saifullah - Frog Man
Merge PR #4580 from @deFr0ggy - Update VsCode/DevTunnels Communication Related Rules
2023-11-20
e506e4574
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022