Detection of VScode Remote Tunneling for Command and Control

hello@craftedsignal.io — Mon, 04 May 2026 14:17:05 +0000

This detection focuses on identifying the misuse of Visual Studio Code’s (VScode) remote tunnel feature to establish unauthorized access or control over systems. While the VScode remote tunnel feature is designed to allow developers to connect to remote environments seamlessly, attackers can abuse this functionality for malicious purposes. The rule specifically looks for the execution of the VScode portable binary with the “tunnel” command-line option, which is indicative of an attempt to establish a remote tunnel session to either GitHub or a remote VScode instance. Successful exploitation can lead to command and control capabilities, allowing attackers to remotely manage and compromise the affected system. The rule aims to detect this suspicious behavior by monitoring process execution and command-line arguments.

Attack Chain

The attacker gains initial access to the target system through unspecified means.
The attacker downloads a portable version of Visual Studio Code (VScode) onto the compromised system.
The attacker executes the VScode binary with the tunnel command-line argument to initiate a remote tunnel session.
The attacker specifies additional arguments such as --accept-server-license-terms to bypass license agreement prompts.
The VScode tunnel attempts to establish a connection to a remote server, potentially a GitHub repository or a remote VScode instance controlled by the attacker.
If successful, the tunnel creates a persistent connection, allowing the attacker to execute commands and transfer files.
The attacker uses the established tunnel to remotely access the compromised system, enabling them to perform malicious activities such as data exfiltration or lateral movement.
The attacker maintains persistent access through the established tunnel, allowing for long-term command and control of the compromised system.

Impact

Successful exploitation allows attackers to establish a persistent command and control channel, enabling them to remotely manage the compromised system. This can lead to data theft, deployment of ransomware, or further lateral movement within the network. While the number of potential victims and specific sectors targeted are not explicitly stated, the widespread use of VScode makes a wide range of organizations vulnerable.

Recommendation

Deploy the “Attempt to Establish VScode Remote Tunnel” rule to detect suspicious VScode tunnel activity in your environment.
Enable Sysmon process-creation logging to capture the necessary process execution data.
Investigate any alerts triggered by the rule, focusing on the command-line arguments and process behaviors to confirm malicious intent.
Monitor network connections originating from VScode processes for unusual or unauthorized connections to external servers.
Review and whitelist legitimate uses of VScode’s tunnel feature by authorized developers to reduce false positives.

Suspicious Execution from VS Code Extension

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

A malicious VS Code extension, configured to run upon editor startup, can execute arbitrary commands, potentially leading to the installation of remote access trojans (RATs) or other malicious payloads. The attack vector leverages the extension host under .vscode/extensions/ to spawn processes such as script interpreters or download utilities. This activity has been observed in campaigns like the fake Clawdbot extension that installed ScreenConnect RAT. The execution can involve Living-off-the-Land binaries (LOLBins) or recently created executables from non-standard paths, posing a significant risk to Windows systems.

Attack Chain

A user installs a malicious VS Code extension.
The extension is configured with activationEvents: ["onStartupFinished"] to run automatically when VS Code starts.
The VS Code extension host (Code.exe or node.exe) spawns a script interpreter (e.g., powershell.exe, cmd.exe) from within the .vscode/extensions/ directory.
The script interpreter executes a command to download a malicious payload from a remote server using tools like curl.exe, bitsadmin.exe, or mshta.exe.
The downloaded payload is saved to disk, often in a temporary directory outside of Program Files.
The script interpreter executes the downloaded payload, leading to further malicious activity. For example, ScreenConnect might be installed.
Persistence mechanisms are established (e.g., via registry keys or scheduled tasks).
The attacker gains remote access to the compromised system.

Impact

A successful attack can lead to the complete compromise of a developer’s workstation, potentially affecting intellectual property and sensitive data. The installation of RATs like ScreenConnect can enable persistent remote access, allowing attackers to perform data exfiltration, lateral movement, and further malicious activities. The compromised machine can then be used as a pivot point to attack other systems within the organization.

Recommendation

Deploy the “Suspicious Execution from VS Code Extension” Sigma rule to your SIEM to detect malicious process execution from VS Code extensions.
Monitor process creation events for script interpreters and LOLBins spawned from the .vscode/extensions/ directory.
Implement application control policies to restrict the execution of unsigned or untrusted executables.
Regularly review and audit installed VS Code extensions for suspicious activity or unnecessary permissions.
Educate developers about the risks of installing extensions from untrusted sources.
Block the C2 domains associated with ScreenConnect and other RATs at the firewall/DNS resolver.

Vscode — CraftedSignal Threat Feed

Detection of VScode Remote Tunneling for Command and Control

Attack Chain

Impact

Recommendation

Suspicious Execution from VS Code Extension

Attack Chain

Impact

Recommendation