EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Renamed Visual Studio Code Tunnel Execution

Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel

MITRE ATT&CK

T1071.001T1219
command-and-control

Detection Query

selection_image_only_tunnel:
  OriginalFileName: null
  CommandLine|endswith: .exe tunnel
selection_image_tunnel_args:
  CommandLine|contains|all:
    - .exe tunnel
    - --accept-server-license-terms
selection_image_tunnel_service:
  CommandLine|contains|all:
    - "tunnel "
    - service
    - internal-run
    - tunnel-service.log
selection_parent_tunnel:
  ParentCommandLine|endswith: " tunnel"
  Image|endswith: \cmd.exe
  CommandLine|contains|all:
    - "/d /c "
    - \servers\Stable-
    - code-server.cmd
filter_main_parent_code:
  ParentImage|endswith:
    - \code-tunnel.exe
    - \code.exe
filter_main_image_code:
  Image|endswith:
    - \code-tunnel.exe
    - \code.exe
condition: (1 of selection_image_* and not 1 of filter_main_image_*) or
  (selection_parent_tunnel and not 1 of filter_main_parent_*)

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2023-09-28

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.command-and-controlattack.t1071.001attack.t1219
Raw Content
title: Renamed Visual Studio Code Tunnel Execution
id: 2cf29f11-e356-4f61-98c0-1bdb9393d6da
status: test
description: Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
references:
    - https://ipfyx.fr/post/visual-studio-code-tunnel/
    - https://badoption.eu/blog/2023/01/31/code_c2.html
    - https://code.visualstudio.com/docs/remote/tunnels
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-28
modified: 2025-10-29
tags:
    - attack.command-and-control
    - attack.t1071.001
    - attack.t1219
logsource:
    category: process_creation
    product: windows
detection:
    selection_image_only_tunnel:
        OriginalFileName: null
        CommandLine|endswith: '.exe tunnel'
    selection_image_tunnel_args:
        CommandLine|contains|all:
            - '.exe tunnel'
            - '--accept-server-license-terms'
    selection_image_tunnel_service:
        CommandLine|contains|all:
            - 'tunnel '
            - 'service'
            - 'internal-run'
            - 'tunnel-service.log'
    selection_parent_tunnel:
        ParentCommandLine|endswith: ' tunnel'
        Image|endswith: '\cmd.exe'
        CommandLine|contains|all:
            - '/d /c '
            - '\servers\Stable-'
            - 'code-server.cmd'
    filter_main_parent_code:
        ParentImage|endswith:
            - '\code-tunnel.exe'
            - '\code.exe'
    filter_main_image_code:
        Image|endswith:
            - '\code-tunnel.exe'
            - '\code.exe'
    condition: (1 of selection_image_* and not 1 of filter_main_image_*) or (selection_parent_tunnel and not 1 of filter_main_parent_*)
falsepositives:
    - Unknown
level: high