{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/vscode/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","Sysmon","Visual Studio Code"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","vscode","remote-access-tools","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","GitHub","Elastic"],"content_html":"\u003cp\u003eThis detection focuses on identifying the misuse of Visual Studio Code\u0026rsquo;s (VScode) remote tunnel feature to establish unauthorized access or control over systems. While the VScode remote tunnel feature is designed to allow developers to connect to remote environments seamlessly, attackers can abuse this functionality for malicious purposes. The rule specifically looks for the execution of the VScode portable binary with the \u0026ldquo;tunnel\u0026rdquo; command-line option, which is indicative of an attempt to establish a remote tunnel session to either GitHub or a remote VScode instance. Successful exploitation can lead to command and control capabilities, allowing attackers to remotely manage and compromise the affected system. The rule aims to detect this suspicious behavior by monitoring process execution and command-line arguments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system through unspecified means.\u003c/li\u003e\n\u003cli\u003eThe attacker downloads a portable version of Visual Studio Code (VScode) onto the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the VScode binary with the \u003ccode\u003etunnel\u003c/code\u003e command-line argument to initiate a remote tunnel session.\u003c/li\u003e\n\u003cli\u003eThe attacker specifies additional arguments such as \u003ccode\u003e--accept-server-license-terms\u003c/code\u003e to bypass license agreement prompts.\u003c/li\u003e\n\u003cli\u003eThe VScode tunnel attempts to establish a connection to a remote server, potentially a GitHub repository or a remote VScode instance controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eIf successful, the tunnel creates a persistent connection, allowing the attacker to execute commands and transfer files.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the established tunnel to remotely access the compromised system, enabling them to perform malicious activities such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access through the established tunnel, allowing for long-term command and control of the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to establish a persistent command and control channel, enabling them to remotely manage the compromised system. This can lead to data theft, deployment of ransomware, or further lateral movement within the network. While the number of potential victims and specific sectors targeted are not explicitly stated, the widespread use of VScode makes a wide range of organizations vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Attempt to Establish VScode Remote Tunnel\u0026rdquo; rule to detect suspicious VScode tunnel activity in your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to capture the necessary process execution data.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the rule, focusing on the command-line arguments and process behaviors to confirm malicious intent.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from VScode processes for unusual or unauthorized connections to external servers.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate uses of VScode\u0026rsquo;s tunnel feature by authorized developers to reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-09-vscode-tunnel/","summary":"The rule detects the execution of the VScode portable binary with the tunnel command line option, potentially indicating an attempt to establish a remote tunnel session to Github or a remote VScode instance for unauthorized access and command and control.","title":"Detection of VScode Remote Tunneling for Command and Control","url":"https://feed.craftedsignal.io/briefs/2024-09-vscode-tunnel/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["VS Code"],"_cs_severities":["medium"],"_cs_tags":["initial-access","execution","supply-chain-compromise","vscode"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eA malicious VS Code extension, configured to run upon editor startup, can execute arbitrary commands, potentially leading to the installation of remote access trojans (RATs) or other malicious payloads. The attack vector leverages the extension host under \u003ccode\u003e.vscode/extensions/\u003c/code\u003e to spawn processes such as script interpreters or download utilities. This activity has been observed in campaigns like the fake Clawdbot extension that installed ScreenConnect RAT. The execution can involve Living-off-the-Land binaries (LOLBins) or recently created executables from non-standard paths, posing a significant risk to Windows systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user installs a malicious VS Code extension.\u003c/li\u003e\n\u003cli\u003eThe extension is configured with \u003ccode\u003eactivationEvents: [\u0026quot;onStartupFinished\u0026quot;]\u003c/code\u003e to run automatically when VS Code starts.\u003c/li\u003e\n\u003cli\u003eThe VS Code extension host (\u003ccode\u003eCode.exe\u003c/code\u003e or \u003ccode\u003enode.exe\u003c/code\u003e) spawns a script interpreter (e.g., \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e) from within the \u003ccode\u003e.vscode/extensions/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe script interpreter executes a command to download a malicious payload from a remote server using tools like \u003ccode\u003ecurl.exe\u003c/code\u003e, \u003ccode\u003ebitsadmin.exe\u003c/code\u003e, or \u003ccode\u003emshta.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is saved to disk, often in a temporary directory outside of Program Files.\u003c/li\u003e\n\u003cli\u003eThe script interpreter executes the downloaded payload, leading to further malicious activity. For example, ScreenConnect might be installed.\u003c/li\u003e\n\u003cli\u003ePersistence mechanisms are established (e.g., via registry keys or scheduled tasks).\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access to the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the complete compromise of a developer\u0026rsquo;s workstation, potentially affecting intellectual property and sensitive data. The installation of RATs like ScreenConnect can enable persistent remote access, allowing attackers to perform data exfiltration, lateral movement, and further malicious activities. The compromised machine can then be used as a pivot point to attack other systems within the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Suspicious Execution from VS Code Extension\u0026rdquo; Sigma rule to your SIEM to detect malicious process execution from VS Code extensions.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for script interpreters and LOLBins spawned from the \u003ccode\u003e.vscode/extensions/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted executables.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit installed VS Code extensions for suspicious activity or unnecessary permissions.\u003c/li\u003e\n\u003cli\u003eEducate developers about the risks of installing extensions from untrusted sources.\u003c/li\u003e\n\u003cli\u003eBlock the C2 domains associated with ScreenConnect and other RATs at the firewall/DNS resolver.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-vscode-extension-execution/","summary":"Malicious VS Code extensions can execute arbitrary commands, leading to initial access and subsequent payload deployment on Windows systems.","title":"Suspicious Execution from VS Code Extension","url":"https://feed.craftedsignal.io/briefs/2024-01-vscode-extension-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — Vscode","version":"https://jsonfeed.org/version/1.1"}