{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/devtunnels/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Visual Studio","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["devtunnels","reverse-proxy","command-and-control","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eMicrosoft Devtunnels, a feature within Visual Studio, enables developers to expose local development environments to the internet via secure tunnels. While designed for legitimate testing and debugging, attackers can abuse this functionality to establish covert communication channels from compromised systems. By executing \u003ccode\u003edevtunnel.exe\u003c/code\u003e or loading \u003ccode\u003edevtunnel.dll\u003c/code\u003e, an attacker can bypass network security measures and blend malicious activity with legitimate development traffic. This allows for remote access, data exfiltration, or command-and-control communications, making detection more challenging. This technique could be used to expose internal services or systems without proper authentication to the outside world, potentially leading to further compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise of a system via typical methods (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eAttacker gains a foothold and establishes persistence on the compromised system.\u003c/li\u003e\n\u003cli\u003eAttacker executes \u003ccode\u003edevtunnel.exe\u003c/code\u003e or loads \u003ccode\u003edevtunnel.dll\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Dev Tunnels feature is configured to expose a service or the entire system to the internet.\u003c/li\u003e\n\u003cli\u003eA secure, temporary tunnel is established, bypassing normal network security measures.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the tunnel to remotely access the compromised system.\u003c/li\u003e\n\u003cli\u003eData exfiltration or command-and-control activities are performed through the tunnel.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access and control over the compromised system, blending their activities with legitimate development traffic.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to create covert communication channels, bypass network security measures, and exfiltrate sensitive data. The use of Dev Tunnels can make it difficult to detect malicious activity, as it blends in with legitimate development traffic. This can lead to prolonged access to compromised systems and significant data breaches. Lateral movement may be easier if internal services are exposed through the tunnel. The number of victims and the extent of the damage depend on the specific targets and the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the Sigma rules provided in this brief to detect the execution of \u003ccode\u003edevtunnel.exe\u003c/code\u003e and the loading of \u003ccode\u003edevtunnel.dll\u003c/code\u003e within your environment.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events (Sysmon EventID 1, Windows Event Log Security 4688, CrowdStrike ProcessRollup2) for the execution of \u003ccode\u003edevtunnel.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003edevtunnel.exe\u003c/code\u003e execution, especially those originating from unusual locations or user accounts.\u003c/li\u003e\n\u003cli\u003eFilter alerts (as mentioned in the known_false_positives) for approved development environments and users to reduce false positives.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to ensure the effectiveness of the provided Sigma rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-devtunnels-execution/","summary":"The execution of Microsoft devtunnels.exe can be abused by attackers to expose compromised systems to the internet, establish covert communication channels, and bypass network security measures, facilitating data exfiltration or command-and-control.","title":"Microsoft Devtunnels Execution for Covert Communication","url":"https://feed.craftedsignal.io/briefs/2024-01-devtunnels-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Visual Studio","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["devtunnels","reverse-proxy","command-and-control","data-exfiltration","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eMicrosoft Devtunnels, a feature within Visual Studio, allows developers to expose their local development environment to the internet through secure, temporary tunnels. While intended for legitimate purposes like testing webhooks and APIs, attackers can abuse this functionality. By exploiting Devtunnels, a malicious actor could expose a compromised system to the internet, establishing a covert communication channel that circumvents traditional network security measures. This unauthorized access enables data exfiltration, command-and-control (C2) communications, and further compromise of the environment while blending the malicious activity with legitimate development traffic. Defenders should monitor for anomalous image loads associated with Devtunnels to identify potential misuse.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker compromises a system within the target network.\u003c/li\u003e\n\u003cli\u003eAttacker installs or leverages an existing Visual Studio installation on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker configures Microsoft Devtunnels to expose the compromised system to the internet. This may involve creating a new tunnel or hijacking an existing one.\u003c/li\u003e\n\u003cli\u003eA malicious DLL (devtunnel.dll) is loaded from the temp directory (\u003ccode\u003e*\\\\AppData\\\\Local\\\\Temp\\\\.net\\\\devtunnel\\\\*\u003c/code\u003e) to establish the tunnel.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the established Devtunnel to create a reverse proxy to bypass network security measures.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the Devtunnel for command and control, sending commands and receiving responses from the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data from the compromised system through the Devtunnel.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of Microsoft Devtunnels can lead to significant security breaches. Attackers can establish persistent covert communication channels, exfiltrate sensitive data, and maintain long-term control over compromised systems. This can result in financial losses, reputational damage, and legal liabilities. The use of Devtunnels can bypass existing network security measures, making detection challenging and increasing the dwell time of attackers within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon EventID 7 to monitor image load events, which is the data source for the provided detection rule.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Devtunnels Image Load\u003c/code\u003e to your SIEM and tune the filter \u003ccode\u003ewindows_devtunnels_image_loaded_filter\u003c/code\u003e for your environment to reduce false positives from legitimate developer activity.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections associated with Devtunnels to identify potential covert communication channels.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the \u003ccode\u003eDetect Devtunnels Image Load\u003c/code\u003e rule, focusing on systems with development tools installed.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-devtunnels-image-load/","summary":"This detection identifies potential misuse of Microsoft Devtunnels within Visual Studio by detecting image load events, indicating that an attacker could expose a compromised system or service to the internet for covert communication and data exfiltration.","title":"Microsoft Devtunnels Image Load Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-02-devtunnels-image-load/"}],"language":"en","title":"CraftedSignal Threat Feed — Devtunnels","version":"https://jsonfeed.org/version/1.1"}