Microsoft Devtunnels Execution for Covert Communication

hello@craftedsignal.io — Wed, 03 Jan 2024 10:00:00 +0000

Microsoft Devtunnels, a feature within Visual Studio, enables developers to expose local development environments to the internet via secure tunnels. While designed for legitimate testing and debugging, attackers can abuse this functionality to establish covert communication channels from compromised systems. By executing devtunnel.exe or loading devtunnel.dll, an attacker can bypass network security measures and blend malicious activity with legitimate development traffic. This allows for remote access, data exfiltration, or command-and-control communications, making detection more challenging. This technique could be used to expose internal services or systems without proper authentication to the outside world, potentially leading to further compromise.

Attack Chain

Initial compromise of a system via typical methods (e.g., phishing, exploit).
Attacker gains a foothold and establishes persistence on the compromised system.
Attacker executes devtunnel.exe or loads devtunnel.dll.
The Dev Tunnels feature is configured to expose a service or the entire system to the internet.
A secure, temporary tunnel is established, bypassing normal network security measures.
The attacker uses the tunnel to remotely access the compromised system.
Data exfiltration or command-and-control activities are performed through the tunnel.
The attacker maintains persistent access and control over the compromised system, blending their activities with legitimate development traffic.

Impact

Successful exploitation allows attackers to create covert communication channels, bypass network security measures, and exfiltrate sensitive data. The use of Dev Tunnels can make it difficult to detect malicious activity, as it blends in with legitimate development traffic. This can lead to prolonged access to compromised systems and significant data breaches. Lateral movement may be easier if internal services are exposed through the tunnel. The number of victims and the extent of the damage depend on the specific targets and the attacker’s objectives.

Recommendation

Implement the Sigma rules provided in this brief to detect the execution of devtunnel.exe and the loading of devtunnel.dll within your environment.
Monitor process creation events (Sysmon EventID 1, Windows Event Log Security 4688, CrowdStrike ProcessRollup2) for the execution of devtunnel.exe.
Investigate any instances of devtunnel.exe execution, especially those originating from unusual locations or user accounts.
Filter alerts (as mentioned in the known_false_positives) for approved development environments and users to reduce false positives.
Enable Sysmon process-creation logging to ensure the effectiveness of the provided Sigma rules.

Microsoft Devtunnels Image Load Detection

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

Microsoft Devtunnels, a feature within Visual Studio, allows developers to expose their local development environment to the internet through secure, temporary tunnels. While intended for legitimate purposes like testing webhooks and APIs, attackers can abuse this functionality. By exploiting Devtunnels, a malicious actor could expose a compromised system to the internet, establishing a covert communication channel that circumvents traditional network security measures. This unauthorized access enables data exfiltration, command-and-control (C2) communications, and further compromise of the environment while blending the malicious activity with legitimate development traffic. Defenders should monitor for anomalous image loads associated with Devtunnels to identify potential misuse.

Attack Chain

Attacker compromises a system within the target network.
Attacker installs or leverages an existing Visual Studio installation on the compromised system.
The attacker configures Microsoft Devtunnels to expose the compromised system to the internet. This may involve creating a new tunnel or hijacking an existing one.
A malicious DLL (devtunnel.dll) is loaded from the temp directory (*\\AppData\\Local\\Temp\\.net\\devtunnel\\*) to establish the tunnel.
The attacker uses the established Devtunnel to create a reverse proxy to bypass network security measures.
The attacker uses the Devtunnel for command and control, sending commands and receiving responses from the compromised system.
The attacker exfiltrates sensitive data from the compromised system through the Devtunnel.

Impact

Successful exploitation of Microsoft Devtunnels can lead to significant security breaches. Attackers can establish persistent covert communication channels, exfiltrate sensitive data, and maintain long-term control over compromised systems. This can result in financial losses, reputational damage, and legal liabilities. The use of Devtunnels can bypass existing network security measures, making detection challenging and increasing the dwell time of attackers within the network.

Recommendation

Enable Sysmon EventID 7 to monitor image load events, which is the data source for the provided detection rule.
Deploy the Sigma rule Detect Devtunnels Image Load to your SIEM and tune the filter windows_devtunnels_image_loaded_filter for your environment to reduce false positives from legitimate developer activity.
Monitor network traffic for connections associated with Devtunnels to identify potential covert communication channels.
Investigate any alerts triggered by the Detect Devtunnels Image Load rule, focusing on systems with development tools installed.

Devtunnels — CraftedSignal Threat Feed

Microsoft Devtunnels Execution for Covert Communication

Attack Chain

Impact

Recommendation

Microsoft Devtunnels Image Load Detection

Attack Chain

Impact

Recommendation