VScode Remote Tunnel Abuse for Command and Control
Adversaries are leveraging the VScode remote tunnel feature to establish unauthorized access and control over Windows systems, potentially enabling command and control activities via disguised legitimate software.
The VScode remote tunnel feature enables developers to connect to remote environments. However, adversaries can exploit this to establish unauthorized access and control over systems. This technique involves executing the VScode portable binary with the "tunnel" command-line option, potentially establishing a covert communication channel. This activity can be masked as legitimate software usage, making it difficult to detect. This technique allows threat actors to bypass traditional network security measures and establish persistent remote access to compromised systems. The targeted systems are typically Windows-based development environments. Defenders should prioritize detecting and preventing the abuse of legitimate remote access tools.
Attack Chain
- Initial Access: The attacker gains initial access to a Windows system, possibly through phishing or exploiting a known vulnerability.
- Tool Deployment: The attacker deploys a portable version of VScode onto the compromised system.
- Tunnel Configuration: The attacker executes VScode with the
tunnelcommand-line option, configuring a remote tunnel to a GitHub or a remote VScode instance. - Session Establishment: The VScode instance on the compromised system initiates a connection to the attacker-controlled server, using the established tunnel.
- Command Execution: The attacker can now execute commands remotely on the compromised system via the tunnel.
- Lateral Movement: Using the compromised system as a pivot, the attacker attempts to move laterally to other systems within the network.
- Data Exfiltration: The attacker exfiltrates sensitive data from the compromised network through the established VScode tunnel.
- Persistence: The attacker establishes persistence by creating a scheduled task or modifying registry keys to ensure the VScode tunnel is automatically restarted upon system reboot.
Impact
Successful exploitation of the VScode remote tunnel feature can lead to unauthorized access to sensitive data, lateral movement within the network, and persistent command and control over compromised systems. This can result in data breaches, financial losses, and reputational damage. The lack of readily available IOCs and the legitimate nature of VScode makes detection challenging.
Recommendation
- Deploy the Sigma rule "Detect VScode Tunnel Execution" to your SIEM to detect suspicious VScode tunnel activity based on command-line arguments.
- Enable Sysmon process creation logging to capture the command-line arguments used when executing VScode.
- Monitor network connections for unusual traffic patterns originating from VScode processes, particularly connections to GitHub or other remote VScode instances.
- Implement application control policies to restrict the execution of unauthorized VScode instances and prevent the use of the
tunnelcommand-line option.
Detection coverage 2
Detect VScode Tunnel Execution
mediumDetects the execution of VScode with the 'tunnel' command-line option, indicating a potential attempt to establish a remote tunnel for command and control.
Detect VScode Tunnel Process Spawning Unusual Child Process
highDetects VScode tunnel process spawning unusual child processes, which could indicate command execution.
Detection queries are available on the platform. Get full rules →