Visual Studio Code — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/visual-studio-code/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 04 May 2026 14:17:05 +0000Detection of VScode Remote Tunneling for Command and Controlhttps://feed.craftedsignal.io/briefs/2024-09-vscode-tunnel/Mon, 04 May 2026 14:17:05 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-09-vscode-tunnel/The rule detects the execution of the VScode portable binary with the tunnel command line option, potentially indicating an attempt to establish a remote tunnel session to Github or a remote VScode instance for unauthorized access and command and control.This detection focuses on identifying the misuse of Visual Studio Code’s (VScode) remote tunnel feature to establish unauthorized access or control over systems. While the VScode remote tunnel feature is designed to allow developers to connect to remote environments seamlessly, attackers can abuse this functionality for malicious purposes. The rule specifically looks for the execution of the VScode portable binary with the “tunnel” command-line option, which is indicative of an attempt to establish a remote tunnel session to either GitHub or a remote VScode instance. Successful exploitation can lead to command and control capabilities, allowing attackers to remotely manage and compromise the affected system. The rule aims to detect this suspicious behavior by monitoring process execution and command-line arguments.

Attack Chain

  1. The attacker gains initial access to the target system through unspecified means.
  2. The attacker downloads a portable version of Visual Studio Code (VScode) onto the compromised system.
  3. The attacker executes the VScode binary with the tunnel command-line argument to initiate a remote tunnel session.
  4. The attacker specifies additional arguments such as --accept-server-license-terms to bypass license agreement prompts.
  5. The VScode tunnel attempts to establish a connection to a remote server, potentially a GitHub repository or a remote VScode instance controlled by the attacker.
  6. If successful, the tunnel creates a persistent connection, allowing the attacker to execute commands and transfer files.
  7. The attacker uses the established tunnel to remotely access the compromised system, enabling them to perform malicious activities such as data exfiltration or lateral movement.
  8. The attacker maintains persistent access through the established tunnel, allowing for long-term command and control of the compromised system.

Impact

Successful exploitation allows attackers to establish a persistent command and control channel, enabling them to remotely manage the compromised system. This can lead to data theft, deployment of ransomware, or further lateral movement within the network. While the number of potential victims and specific sectors targeted are not explicitly stated, the widespread use of VScode makes a wide range of organizations vulnerable.

Recommendation

  • Deploy the “Attempt to Establish VScode Remote Tunnel” rule to detect suspicious VScode tunnel activity in your environment.
  • Enable Sysmon process-creation logging to capture the necessary process execution data.
  • Investigate any alerts triggered by the rule, focusing on the command-line arguments and process behaviors to confirm malicious intent.
  • Monitor network connections originating from VScode processes for unusual or unauthorized connections to external servers.
  • Review and whitelist legitimate uses of VScode’s tunnel feature by authorized developers to reduce false positives.
]]>mediumadvisorycommand-and-controlvscoderemote-access-toolswindows