← Back to SOC feed Coverage →

Visual Studio Code Tunnel Shell Execution

sigma MEDIUM SigmaHQ
T1071.001
imProcessCreate
powershell
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-23T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects the execution of a shell (powershell, bash, wsl…) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system

Detection Rule

Sigma (Original)

title: Visual Studio Code Tunnel Shell Execution
id: f4a623c2-4ef5-4c33-b811-0642f702c9f1
status: test
description: Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system.
references:
    - https://ipfyx.fr/post/visual-studio-code-tunnel/
    - https://badoption.eu/blog/2023/01/31/code_c2.html
    - https://code.visualstudio.com/docs/remote/tunnels
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-25
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|contains: '\servers\Stable-'
        ParentImage|endswith: '\server\node.exe'
        ParentCommandLine|contains: '.vscode-server' # Technically one can host its own local server instead of using the VsCode one. And that would probably change the name (requires further research)
    # Note: Child processes (ie: shells) can be whatever technically (with some efforts)
    selection_child_1:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains: '\terminal\browser\media\shellIntegration.ps1'
    selection_child_2:
        Image|endswith:
            - '\wsl.exe'
            - '\bash.exe'
    condition: selection_parent and 1 of selection_child_*
falsepositives:
    - Legitimate use of Visual Studio Code tunnel and running code from there
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where ((ParentProcessName contains "\\servers\\Stable-" or ActingProcessName contains "\\servers\\Stable-") and (ParentProcessName endswith "\\server\\node.exe" or ActingProcessName endswith "\\server\\node.exe") and ActingProcessCommandLine contains ".vscode-server") and (((TargetProcessName endswith "\\powershell.exe" or TargetProcessName endswith "\\pwsh.exe") and TargetProcessCommandLine contains "\\terminal\\browser\\media\\shellIntegration.ps1") or (TargetProcessName endswith "\\wsl.exe" or TargetProcessName endswith "\\bash.exe"))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml