KQL Search

Query Details

HomeAI ToolsDevice Query

Devtunnelcodetunneling

Query

# Rule : Visual Studio Code Tunnel Abuse Detection

## Description
This detection rule identifies suspicious use of the "tunnel" feature within Visual Studio Code (VSCode) that could indicate malicious activity or abuse. Attackers may leverage VSCode's tunnel functionality to establish unauthorized connections and bypass network restrictions. The rule monitors for command lines associated with tunnel creation, host setup, and allowing anonymous access. Malicious actors can exploit these functionalities to exfiltrate data or maintain persistence in a network.

This method has been observed in espionage campaigns such as **Stately Taurus**, which targeted organizations in Southeast Asia, highlighting the growing abuse of legitimate tools like VSCode in advanced attacks.

- [Stately Taurus Campaign by Unit42](https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/)

## Detection Logic
- Monitors `DeviceProcessEvents` where:
  - The `ProcessVersionInfoProductName` is "Visual Studio Code" and the `ProcessCommandLine` contains "tunnel".
  - The `ProcessCommandLine` includes:
    - "host" and "allow-anonymous"
    - "port" and "create" with a `-p` flag for specifying ports

## Tags
- Process Execution
- Tunneling
- DevTunnels
- Visual Studio Code
- Espionage

## Search Query
```kql
DeviceProcessEvents
| where (ProcessVersionInfoProductName == @"Visual Studio Code" and ProcessCommandLine contains "tunnel" )
or ProcessCommandLine has_all ("host", "allow-anonymous") 
or ProcessCommandLine has_all ("port", "create", "-p")
```

Explanation

This query is designed to detect potentially malicious use of the "tunnel" feature in Visual Studio Code (VSCode). Attackers might use this feature to create unauthorized connections and bypass network restrictions, which can be part of espionage activities like the Stately Taurus campaign.

Key Points:

  1. Purpose: Identify suspicious VSCode tunnel usage that could indicate malicious activity.
  2. What it Monitors:
    • Processes where the product name is "Visual Studio Code" and the command line includes "tunnel".
    • Command lines that include:
      • "host" and "allow-anonymous"
      • "port" and "create" with a -p flag for specifying ports
  3. Context: This method has been used in espionage campaigns targeting organizations, particularly in Southeast Asia.

Detection Logic:

  • The query looks at DeviceProcessEvents to find:
    • Processes related to VSCode with "tunnel" in the command line.
    • Command lines that include both "host" and "allow-anonymous".
    • Command lines that include "port", "create", and the -p flag.

Tags:

  • Process Execution
  • Tunneling
  • DevTunnels
  • Visual Studio Code
  • Espionage

Search Query:

DeviceProcessEvents
| where (ProcessVersionInfoProductName == @"Visual Studio Code" and ProcessCommandLine contains "tunnel" )
or ProcessCommandLine has_all ("host", "allow-anonymous") 
or ProcessCommandLine has_all ("port", "create", "-p")

In simple terms, this query helps detect if someone is using VSCode's tunnel feature in a way that might be suspicious or unauthorized, potentially indicating a security threat.

Details

Ali Hussein profile picture

Ali Hussein

Released: September 9, 2024

Tables

DeviceProcessEvents

Keywords

Devices

Operators

==containsorhas_all

Actions