KQL Search

Query Details

HomeAI ToolsDevice Query

Dev Tunnel File Events

Query

# Rule : Detection of Suspicious File Events Involving DevTunnels

## Description
This detection rule monitors for suspicious file operations involving folders named "DevTunnels." DevTunnels are a feature used in Visual Studio for creating secure tunnels for remote connections, commonly utilized for remote debugging or development. Any unusual file activities within this folder could signal potential misuse or unauthorized operations by malicious actors attempting to establish or maintain persistence on the system.

This rule specifically excludes known legitimate software, such as Dell Display Manager 2, from triggering false positives. Monitoring DevTunnels for unexpected file activity can help detect potential threat actors utilizing this feature for lateral movement or remote access.

- [Related SigmaHQ Rule for DevTunnels Monitoring](https://github.com/SigmaHQ/sigma/blob/ab2fb3642611988012a1ee79b056e2f3068059aa/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml)

## Detection Logic
- Monitors `DeviceFileEvents` for events where:
  - The `FolderPath` contains "DevTunnels", and
  - Excludes legitimate software such as Dell Display Manager 2.

## Tags
- File Events
- DevTunnels Monitoring
- Suspicious File Access
- Visual Studio Security
- Threat Detection

## Search Query
```kql
DeviceFileEvents
| where FolderPath has "DevTunnels" 
 //exclude Dell Display Manager  | where InitiatingProcessFileName != "DellDisplayManager.exe"
```

Explanation

This query is designed to detect suspicious file activities in folders named "DevTunnels," which are used in Visual Studio for secure remote connections. The goal is to identify potential unauthorized or malicious operations within these folders, which could indicate an attempt to establish or maintain unauthorized access to the system.

The query works by:

  1. Monitoring file events (DeviceFileEvents) where the folder path includes "DevTunnels."
  2. Excluding known legitimate software, specifically Dell Display Manager 2, to avoid false positives.

In simple terms, this query helps in identifying unusual file activities in "DevTunnels" folders, which might be used by attackers for malicious purposes, while ignoring activities from trusted software.

Details

Ali Hussein profile picture

Ali Hussein

Released: September 9, 2024

Tables

DeviceFileEvents

Keywords

DeviceFileEventsFolderPathDevTunnelsDellDisplayManagerInitiatingProcessFileName

Operators

has!=

Actions