← Back to Explore
sigmamediumHunting
Network Connection Initiated To DevTunnels Domain
Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Detection Query
selection:
Initiated: "true"
DestinationHostname|endswith: .devtunnels.ms
condition: selection
Author
Kamran Saifullah
Created
2023-11-20
Data Sources
windowsNetwork Connection Events
Platforms
windows
References
Tags
attack.exfiltrationattack.command-and-controlattack.t1567.001attack.t1572
Raw Content
title: Network Connection Initiated To DevTunnels Domain
id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4
related:
- id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode
type: similar
- id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode
type: similar
- id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels
type: similar
status: test
description: |
Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
- https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2
- https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security
- https://cydefops.com/devtunnels-unleashed
author: Kamran Saifullah
date: 2023-11-20
tags:
- attack.exfiltration
- attack.command-and-control
- attack.t1567.001
- attack.t1572
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationHostname|endswith: '.devtunnels.ms'
condition: selection
falsepositives:
- Legitimate use of Devtunnels will also trigger this.
level: medium