← Back to Explore
sigmamediumHunting
Visual Studio Code Tunnel Execution
Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
Detection Query
selection_only_tunnel:
OriginalFileName: null
CommandLine|endswith: .exe tunnel
selection_tunnel_args:
CommandLine|contains|all:
- .exe tunnel
- --accept-server-license-terms
selection_parent_tunnel:
ParentCommandLine|endswith: " tunnel"
Image|endswith: \cmd.exe
CommandLine|contains|all:
- "/d /c "
- \servers\Stable-
- code-server.cmd
condition: 1 of selection_*
Author
Nasreddine Bencherchali (Nextron Systems), citron_ninja
Created
2023-10-25
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.command-and-controlattack.t1071.001attack.t1219
Raw Content
title: Visual Studio Code Tunnel Execution
id: 90d6bd71-dffb-4989-8d86-a827fedd6624
status: test
description: Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
references:
- https://ipfyx.fr/post/visual-studio-code-tunnel/
- https://badoption.eu/blog/2023/01/31/code_c2.html
- https://code.visualstudio.com/docs/remote/tunnels
author: Nasreddine Bencherchali (Nextron Systems), citron_ninja
date: 2023-10-25
modified: 2025-10-29
tags:
- attack.command-and-control
- attack.t1071.001
- attack.t1219
logsource:
category: process_creation
product: windows
detection:
selection_only_tunnel:
OriginalFileName: null
CommandLine|endswith: '.exe tunnel'
selection_tunnel_args:
CommandLine|contains|all:
- '.exe tunnel'
- '--accept-server-license-terms'
selection_parent_tunnel:
ParentCommandLine|endswith: ' tunnel'
Image|endswith: '\cmd.exe'
CommandLine|contains|all:
- '/d /c '
- '\servers\Stable-'
- 'code-server.cmd'
condition: 1 of selection_*
falsepositives:
- Legitimate use of Visual Studio Code tunnel
level: medium