Adversaries may rename a legitimate VSCode code tunnel file to execute malicious code, leveraging the file’s trusted association to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential code execution attacks that exploit file name deception.
Detection Rule
title: Renamed VsCode Code Tunnel Execution - File Indicator
id: d102b8f5-61dc-4e68-bd83-9a3187c67377
status: test
description: |
Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" other than VsCode.
references:
- https://ipfyx.fr/post/visual-studio-code-tunnel/
- https://badoption.eu/blog/2023/01/31/code_c2.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-25
tags:
- attack.command-and-control
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '\code_tunnel.json'
filter_main_legit_name:
# Note: There might be other legitimate names for VsCode. Please add them if found
Image|endswith:
- '\code-tunnel.exe'
- '\code.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
imFileEvent
| where TargetFileName endswith "\\code_tunnel.json" and (not((TargetFilePath endswith "\\code-tunnel.exe" or TargetFilePath endswith "\\code.exe")))Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that creates a temporary file with the name vscode-tunnel-*.exe as part of a system update or maintenance process.
Filter/Exclusion: Exclude files created by scheduled tasks with known names or paths, e.g., C:\Windows\Tasks\* or C:\Windows\System32\*.
Scenario: Admin Tool for Remote Debugging
Description: An enterprise admin uses a legitimate remote debugging tool (e.g., vscode-server.exe) that creates a temporary tunnel file during a session.
Filter/Exclusion: Exclude files created in known admin directories like C:\ProgramData\Microsoft\Windows\Temporary Internet Files\* or C:\Users\Administrator\AppData\Local\Temp\*.
Scenario: CI/CD Pipeline Artifact Generation
Description: A CI/CD pipeline (e.g., Jenkins, GitHub Actions) generates a temporary file named vscode-tunnel-*.exe as part of a build or deployment artifact.
Filter/Exclusion: Exclude files created in CI/CD directories such as C:\BuildAgents\*, C:\Users\jenkins\AppData\Local\Temp\*, or paths matching C:\azure-pipelines\*.
Scenario: User-Initiated Remote Development Session
Description: A developer manually initiates a remote development session using VS Code, which creates a tunnel file with the name vscode-tunnel-*.exe on the remote server.
Filter/Exclusion: Exclude files created in user-specific directories like C:\Users\<username>\AppData\Local\Temp\* or paths containing vscode-server.
Scenario: Antivirus Quarantine File Creation
Description: An antivirus tool