The hypothesis is that an adversary is leveraging Visual Studio Code Tunnel to create remote files as part of a potential persistence or command and control setup. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage lateral movement or data exfiltration attempts.
Detection Rule
title: Visual Studio Code Tunnel Remote File Creation
id: 56e05d41-ce99-4ecd-912d-93f019ee0b71
status: test
description: |
Detects the creation of file by the "node.exe" process in the ".vscode-server" directory. Could be a sign of remote file creation via VsCode tunnel feature
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-25
tags:
- attack.command-and-control
logsource:
category: file_event
product: windows
detection:
selection:
Image|contains: '\servers\Stable-'
Image|endswith: '\server\node.exe'
TargetFilename|contains: '\.vscode-server\data\User\History\'
condition: selection
falsepositives:
- Unknown
level: medium
imFileEvent
| where TargetFilePath contains "\\servers\\Stable-" and TargetFilePath endswith "\\server\\node.exe" and TargetFileName contains "\\.vscode-server\\data\\User\\History\\"Scenario: Developer using Visual Studio Code to create configuration files
Description: A developer may create .json or .yml files in a project directory as part of normal development tasks.
Filter/Exclusion: Exclude files created in known project directories (e.g., /home/user/Dev/project/config/) or files with known legitimate extensions (e.g., .json, .yml, .ts).
Scenario: System administrator configuring remote access via SSH tunnel
Description: An admin may manually create a tunnel configuration file (e.g., tunnel.conf) in a temporary directory as part of setting up SSH tunneling.
Filter/Exclusion: Exclude files created in temporary directories (e.g., /tmp/, /var/tmp/) or files with specific names like tunnel.conf.
Scenario: Scheduled job creating log files or temporary files
Description: A scheduled job (e.g., using cron or Task Scheduler) may create temporary files or log files in a system directory.
Filter/Exclusion: Exclude files created in system log directories (e.g., /var/log/, /var/opt/) or files with timestamps matching scheduled job execution times.
Scenario: DevOps pipeline creating artifacts or deployment files
Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) may create files in a build directory as part of the deployment process.
Filter/Exclusion: Exclude files created in CI/CD directories (e.g., /opt/jenkins/workspace/, /var/lib/gitlab-runner/builds/) or files with known artifact extensions (e.g., .tar.gz, .zip).
Scenario: User creating a file via a script or command-line tool
Description: A user may run a script or command (e.g., `