KQL Search

Query Details

HomeAI ToolsDevice Query

Detecting Twill Typhoon VS Code Exploit

Query

// Detecting Twill Typhoon VSCode Exploit

// The Mustang Panda group, a Chinese hacking collective, has leveraged Visual Studio Code’s reverse shell feature to infiltrate Southeast Asian government systems. This method enables unauthorized access, malware deployment, and data exfiltration, marking a notable advancement in cyber espionage techniques. The following KQL detects the VS Code tunnel exploit within an MDE environment.

let deviceVScodeTunnel = 
DeviceEvents
| where InitiatingProcessCommandLine contains "code.exe"
and InitiatingProcessCommandLine contains "tunnel"
| distinct DeviceName;
DeviceNetworkEvents
| where RemoteUrl contains "tunnels.api.visualstudio.com"
or RemoteUrl contains "devtunnels.ms"
| where DeviceName has_any (deviceVScodeTunnel)

// Based on the behavior described in your query, the associated MITRE ATT&CK techniques are:

// Protocol Tunneling (T1572): This technique involves encapsulating one protocol within another to avoid detection and enable access to otherwise unreachable systems1. Your query is looking for network events that suggest tunneling, which aligns with this technique.
// Command and Control (TA0011): This tactic involves adversaries trying to communicate with compromised systems to control them. The use of tunneling and specific URLs in your query suggests an attempt to establish a command and control channel.

Explanation

This KQL query is designed to detect a specific exploit used by the Mustang Panda hacking group, which targets Visual Studio Code's reverse shell feature to gain unauthorized access to systems, deploy malware, and steal data. Here's a simplified breakdown of what the query does:

  1. Identify Devices Running VS Code Tunnels:

    • It searches for devices where the command line includes "code.exe" and "tunnel," indicating that Visual Studio Code's tunnel feature is being used.
    • It collects a list of these devices.

  2. Monitor Network Events for Suspicious URLs:

    • It then looks at network events to find connections to specific URLs associated with Visual Studio Code tunnels ("tunnels.api.visualstudio.com" or "devtunnels.ms").
    • It checks if these network events are happening on any of the devices identified in the first step.

  3. MITRE ATT&CK Techniques:

    • Protocol Tunneling (T1572): The query looks for network behavior that suggests protocol tunneling, which is a method to hide communication within another protocol to avoid detection.
    • Command and Control (TA0011): The query also indicates attempts to establish a command and control channel, which is how attackers communicate with and control compromised systems.

In summary, this query helps detect if the Visual Studio Code tunnel feature is being exploited on your network, which could indicate a sophisticated cyber espionage attack.

Details

Steven Lim profile picture

Steven Lim

Released: September 16, 2024

Tables

DeviceEventsDeviceNetworkEvents

Keywords

DeviceEventsNetwork

Operators

letcontainsanddistinctorhas_any

Actions