T1176.002

IDE Extensions

Adversaries may abuse an integrated development environment (IDE) extension to establish persistent access to victim systems. IDEs such as Visual Studio Code, IntelliJ IDEA, and Eclipse support extensions — software components that add features like code linting, auto-completion, task automation, or integration with external tools. A malicious extension can be installed through an extension marketplace or side-loaded directly into the IDE via a .vsix package. Once installed, the extension runs every time the IDE is launched, enabling persistent arbitrary code execution, backdoor establishment, cryptocurrency mining, or data exfiltration. Adversaries may also leverage benign extensions: for example, Mustang Panda has abused the VSCode built-in tunnel feature (code.exe tunnel) to establish persistent reverse shells routed through Microsoft infrastructure, bypassing firewall controls.

Microsoft Sentinel / Defender

kusto

let IDEProcesses = dynamic(["code.exe", "code-insiders.exe", "code-server", "idea.exe", "idea64.exe", "eclipse.exe", "webstorm.exe", "pycharm.exe", "pycharm64.exe", "phpstorm.exe", "rider.exe", "goland.exe", "clion.exe", "datagrip.exe"]);
let SuspiciousChildren = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "schtasks.exe", "net.exe", "net1.exe", "whoami.exe", "nltest.exe", "curl.exe", "wget.exe"]);
let LegitCmdPatterns = dynamic(["git ", "npm ", "yarn ", "pip ", "cargo ", "dotnet ", "gradle", "mvn ", "make ", "cmake", "eslint", "prettier", "tsc "]);
// Branch 1: VSCode tunnel creation (Mustang Panda reverse shell TTP)
let VscodeTunnel = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("code.exe", "code-insiders.exe", "code-server")
| where ProcessCommandLine has "tunnel"
| extend DetectionBranch = "VSCode-Tunnel-Reverse-Shell"
| extend RiskReason = "VSCode tunnel enables persistent remote code execution via Microsoft infrastructure";
// Branch 2: IDE spawning high-risk processes with no legitimate build pattern
let IDESuspiciousSpawn = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (IDEProcesses)
| where FileName in~ (SuspiciousChildren)
| where not (ProcessCommandLine has_any (LegitCmdPatterns))
| extend DetectionBranch = "IDE-Suspicious-Child-Process"
| extend RiskReason = strcat("IDE process ", InitiatingProcessFileName, " spawned ", FileName, " with non-build command line");
// Branch 3: VSIX extension side-load from outside marketplace
let VSIXSideload = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("code.exe", "code-insiders.exe")
| where ProcessCommandLine has "--install-extension" and ProcessCommandLine has ".vsix"
| extend DetectionBranch = "VSIX-Extension-Sideload"
| extend RiskReason = "Extension installed from local .vsix file — bypasses marketplace vetting";
// Branch 4: VSCode extension host making external network connections via child process
let ExtHostExternalConn = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("code.exe", "code-insiders.exe")
| where RemoteIPType == "Public"
| where RemotePort !in (80, 443)
| extend DetectionBranch = "IDE-External-NonHTTPS-Connection"
| extend RiskReason = strcat("IDE connected to public IP ", RemoteIP, " on non-standard port ", RemotePort)
| project Timestamp, DeviceName, AccountName, FileName=InitiatingProcessFileName, ProcessCommandLine=InitiatingProcessCommandLine, InitiatingProcessFileName="explorer.exe", InitiatingProcessCommandLine="", DetectionBranch, RiskReason;
// Union process and network branches
union VscodeTunnel, IDESuspiciousSpawn, VSIXSideload, ExtHostExternalConn
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch, RiskReason
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

Developers using VSCode Remote Tunnels legitimately for authorized remote development — tunnel usage should be validated against IT-approved remote development policy
Security researchers or penetration testers testing IDE extensions in authorized lab environments
Extension developers side-loading their own .vsix files during local development and testing cycles
Build pipelines that invoke cmd.exe or powershell.exe as part of IDE task runners (e.g., VSCode tasks.json running build scripts) — these will have predictable, repeatable command lines
IDE extensions for Docker, Kubernetes, or cloud providers that legitimately connect to external management APIs on non-standard ports

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| eval IsIDEProcess=if(match(Image, "(?i)(code\.exe|code-insiders\.exe|idea\.exe|idea64\.exe|eclipse\.exe|webstorm\.exe|pycharm\.exe|pycharm64\.exe|phpstorm\.exe|rider\.exe|goland\.exe|clion\.exe)"), 1, 0)
| eval IsIDEParent=if(match(ParentImage, "(?i)(code\.exe|code-insiders\.exe|idea\.exe|idea64\.exe|eclipse\.exe|webstorm\.exe|pycharm\.exe|pycharm64\.exe|phpstorm\.exe|rider\.exe|goland\.exe|clion\.exe)"), 1, 0)
| eval VscodeTunnel=if(EventCode=1 AND match(Image, "(?i)code.*\.exe") AND match(CommandLine, "(?i)\btunnel\b"), 1, 0)
| eval VSIXSideload=if(EventCode=1 AND match(Image, "(?i)code.*\.exe") AND match(CommandLine, "(?i)--install-extension.*\.vsix"), 1, 0)
| eval SuspiciousIDESpawn=if(EventCode=1 AND IsIDEParent=1 AND match(Image, "(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|mshta\.exe|wscript\.exe|cscript\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|schtasks\.exe)") AND NOT match(CommandLine, "(?i)(git |npm |yarn |pip |cargo |dotnet |gradle|mvn |make |cmake|eslint|prettier)"), 1, 0)
| eval IDEExternalConn=if(EventCode=3 AND IsIDEProcess=1 AND NOT match(DestinationIp, "^(10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|192\.168\.|127\.)") AND NOT (DestinationPort=80 OR DestinationPort=443), 1, 0)
| eval SuspicionScore=VscodeTunnel + VSIXSideload + SuspiciousIDESpawn + IDEExternalConn
| where SuspicionScore > 0
| eval DetectionBranch=case(
    VscodeTunnel=1, "VSCode-Tunnel-Reverse-Shell",
    VSIXSideload=1, "VSIX-Extension-Sideload",
    SuspiciousIDESpawn=1, "IDE-Suspicious-Child-Process",
    IDEExternalConn=1, "IDE-External-NonHTTPS-Connection",
    true(), "Unknown")
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DestinationIp, DestinationPort, DetectionBranch, SuspicionScore
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Sysmon Event ID 1 Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Developers using VSCode Remote Tunnels legitimately for authorized remote development
Extension developers side-loading their own .vsix files during local testing
IDE task runners invoking build tools (cmd, powershell) as part of legitimate tasks.json or build configurations
Cloud IDE extensions (AWS Toolkit, Azure Tools) making management API connections on non-standard ports
DevContainers feature spawning shell processes as part of container lifecycle management

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  destinationport,
  username,
  "Image" AS process_image,
  "CommandLine" AS command_line,
  "ParentImage" AS parent_image,
  CASE
    WHEN LOWER("CommandLine") LIKE '%tunnel%' AND (LOWER("Image") LIKE '%code.exe%' OR LOWER("Image") LIKE '%code-insiders.exe%') THEN 'VSCode-Tunnel-Reverse-Shell'
    WHEN LOWER("CommandLine") LIKE '%--install-extension%.vsix%' THEN 'VSIX-Extension-Sideload'
    WHEN (LOWER("ParentImage") LIKE '%code.exe%' OR LOWER("ParentImage") LIKE '%idea%.exe%' OR LOWER("ParentImage") LIKE '%eclipse.exe%' OR LOWER("ParentImage") LIKE '%pycharm%.exe%') AND (LOWER("Image") LIKE '%cmd.exe%' OR LOWER("Image") LIKE '%powershell.exe%' OR LOWER("Image") LIKE '%mshta.exe%' OR LOWER("Image") LIKE '%wscript.exe%' OR LOWER("Image") LIKE '%cscript.exe%' OR LOWER("Image") LIKE '%rundll32.exe%' OR LOWER("Image") LIKE '%certutil.exe%' OR LOWER("Image") LIKE '%bitsadmin.exe%' OR LOWER("Image") LIKE '%schtasks.exe%') AND NOT (LOWER("CommandLine") LIKE '%git %' OR LOWER("CommandLine") LIKE '%npm %' OR LOWER("CommandLine") LIKE '%yarn %' OR LOWER("CommandLine") LIKE '%pip %' OR LOWER("CommandLine") LIKE '%cargo %' OR LOWER("CommandLine") LIKE '%dotnet %' OR LOWER("CommandLine") LIKE '%gradle%' OR LOWER("CommandLine") LIKE '%mvn %' OR LOWER("CommandLine") LIKE '%make %' OR LOWER("CommandLine") LIKE '%cmake%') THEN 'IDE-Suspicious-Child-Process'
    WHEN (LOWER("Image") LIKE '%code.exe%' OR LOWER("Image") LIKE '%idea%.exe%') AND NOT (destinationip LIKE '10.%' OR destinationip LIKE '192.168.%' OR destinationip LIKE '172.1%.%' OR destinationip LIKE '172.2%.%' OR destinationip LIKE '172.3_.%' OR destinationip = '127.0.0.1') AND destinationport NOT IN (80, 443) THEN 'IDE-External-NonHTTPS-Connection'
    ELSE 'Unknown'
  END AS detection_branch
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND (
    (LOWER("CommandLine") LIKE '%tunnel%' AND (LOWER("Image") LIKE '%code.exe%' OR LOWER("Image") LIKE '%code-insiders.exe%'))
    OR (LOWER("CommandLine") LIKE '%--install-extension%.vsix%')
    OR (
      (LOWER("ParentImage") LIKE '%code.exe%' OR LOWER("ParentImage") LIKE '%idea%.exe%' OR LOWER("ParentImage") LIKE '%eclipse.exe%' OR LOWER("ParentImage") LIKE '%pycharm%.exe%' OR LOWER("ParentImage") LIKE '%webstorm.exe%' OR LOWER("ParentImage") LIKE '%phpstorm.exe%' OR LOWER("ParentImage") LIKE '%rider.exe%' OR LOWER("ParentImage") LIKE '%goland.exe%' OR LOWER("ParentImage") LIKE '%clion.exe%')
      AND (LOWER("Image") LIKE '%cmd.exe%' OR LOWER("Image") LIKE '%powershell.exe%' OR LOWER("Image") LIKE '%pwsh.exe%' OR LOWER("Image") LIKE '%mshta.exe%' OR LOWER("Image") LIKE '%wscript.exe%' OR LOWER("Image") LIKE '%cscript.exe%' OR LOWER("Image") LIKE '%rundll32.exe%' OR LOWER("Image") LIKE '%regsvr32.exe%' OR LOWER("Image") LIKE '%certutil.exe%' OR LOWER("Image") LIKE '%bitsadmin.exe%' OR LOWER("Image") LIKE '%schtasks.exe%')
      AND NOT (LOWER("CommandLine") LIKE '%git %' OR LOWER("CommandLine") LIKE '%npm %' OR LOWER("CommandLine") LIKE '%yarn %' OR LOWER("CommandLine") LIKE '%pip %' OR LOWER("CommandLine") LIKE '%gradle%' OR LOWER("CommandLine") LIKE '%mvn %' OR LOWER("CommandLine") LIKE '%make %' OR LOWER("CommandLine") LIKE '%cmake%' OR LOWER("CommandLine") LIKE '%eslint%' OR LOWER("CommandLine") LIKE '%prettier%' OR LOWER("CommandLine") LIKE '%tsc %')
    )
    OR (
      (LOWER("Image") LIKE '%code.exe%' OR LOWER("Image") LIKE '%code-insiders.exe%' OR LOWER("Image") LIKE '%idea%.exe%')
      AND NOT (destinationip LIKE '10.%' OR destinationip LIKE '192.168.%' OR destinationip = '127.0.0.1')
      AND destinationport NOT IN (80, 443)
      AND destinationip IS NOT NULL
    )
  )
  AND DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') > DATEADD('hour', -24, NOW())
ORDER BY devicetime DESC
LIMIT 500

high severity medium confidence

Data Sources

Sysmon Event ID 1 (Process Create) Sysmon Event ID 3 (Network Connection) Windows Security Event Log

Required Tables

events

False Positives

Developers using VSCode Remote Tunnels as a supported feature for remote development workflows — review tunnel usage against known developer assets and establish a whitelist of approved tunnel users
IT administrators side-loading approved internal tooling extensions via .vsix files on developer workstations — validate against approved software deployment records
Automated test frameworks or build pipelines that run tests via PowerShell or cmd.exe invoked from within JetBrains IDE run configurations — baseline normal build pipeline behavior per host

Sumo Logic CSE

sql

_sourceCategory=*windows*sysmon* OR _sourceCategory=*endpoint*
| where EventID in ("1", "3") OR EventCode in ("1", "3")
| parse field=CommandLine "*" as cmd_line nodrop
| parse field=Image "*" as process_image nodrop
| parse field=ParentImage "*" as parent_image nodrop
| parse field=DestinationIp "*" as dest_ip nodrop
| parse field=DestinationPort "*" as dest_port nodrop
// Classify IDE processes
| eval is_ide_process = if (matches(process_image, "(?i)(code\.exe|code-insiders\.exe|code-server|idea\.exe|idea64\.exe|eclipse\.exe|webstorm\.exe|pycharm\.exe|pycharm64\.exe|phpstorm\.exe|rider\.exe|goland\.exe|clion\.exe|datagrip\.exe)"), 1, 0)
| eval is_ide_parent = if (matches(parent_image, "(?i)(code\.exe|code-insiders\.exe|idea\.exe|idea64\.exe|eclipse\.exe|webstorm\.exe|pycharm\.exe|pycharm64\.exe|phpstorm\.exe|rider\.exe|goland\.exe|clion\.exe|datagrip\.exe)"), 1, 0)
// Branch scores
| eval vscode_tunnel = if (matches(process_image, "(?i)code.*\.exe") AND matches(cmd_line, "(?i)\btunnel\b"), 1, 0)
| eval vsix_sideload = if (matches(process_image, "(?i)code.*\.exe") AND matches(cmd_line, "(?i)--install-extension.*\.vsix"), 1, 0)
| eval ide_suspicious_spawn = if (
    is_ide_parent == 1
    AND matches(process_image, "(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|mshta\.exe|wscript\.exe|cscript\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|schtasks\.exe|whoami\.exe|nltest\.exe)")
    AND NOT matches(cmd_line, "(?i)(git |npm |yarn |pip |cargo |dotnet |gradle|mvn |make |cmake|eslint|prettier|tsc )"),
    1, 0)
| eval ide_external_conn = if (
    is_ide_process == 1
    AND EventCode == "3"
    AND NOT matches(dest_ip, "^(10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|192\.168\.|127\.)") 
    AND dest_port != "80" AND dest_port != "443",
    1, 0)
| eval suspicion_score = vscode_tunnel + vsix_sideload + ide_suspicious_spawn + ide_external_conn
| where suspicion_score > 0
| eval detection_branch = if (vscode_tunnel == 1, "VSCode-Tunnel-Reverse-Shell",
    if (vsix_sideload == 1, "VSIX-Extension-Sideload",
    if (ide_suspicious_spawn == 1, "IDE-Suspicious-Child-Process",
    if (ide_external_conn == 1, "IDE-External-NonHTTPS-Connection", "Multi-Branch"))))
| fields _messageTime, _sourceHost, User, process_image, cmd_line, parent_image, dest_ip, dest_port, detection_branch, suspicion_score
| sort by _messageTime desc

high severity medium confidence

Data Sources

Sysmon for Windows (EventID 1, 3) Endpoint telemetry via Sumo Logic collector

Required Tables

_sourceCategory=*windows*sysmon*

False Positives

VSCode Remote Tunnel feature used legitimately by developers for remote coding — the 'tunnel' keyword in command line will always trigger; build a suppression list of approved developer hostnames and usernames
Extension developers or security researchers testing custom VSIX packages locally before marketplace submission — these will trigger the VSIX sideload branch; correlate with DevSec or engineering department identity
JetBrains IDEs running terminal tasks (npm install, pip install, gradle build) that chain through cmd.exe or PowerShell as intermediary shells — tune the LegitCmdPatterns exclusion list based on observed baseline

Google Chronicle / SecOps

yaral

rule ide_extension_abuse_t1176_002 {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects malicious IDE extension abuse including VSCode tunnel creation, VSIX side-loading, suspicious IDE child processes, and IDE external non-HTTPS connections. Covers T1176.002."
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1176.002"
    severity = "HIGH"
    priority = "HIGH"
  events:
    (
      // Branch 1: VSCode tunnel reverse shell (Mustang Panda)
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        AND re.regex($e.principal.process.file.full_path, `(?i)(code\.exe|code-insiders\.exe|code-server)`)
        AND re.regex($e.target.process.command_line, `(?i)\btunnel\b`)
      )
      OR
      // Branch 2: VSIX extension side-load
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        AND re.regex($e.principal.process.file.full_path, `(?i)code.*\.exe`)
        AND re.regex($e.target.process.command_line, `(?i)--install-extension.*\.vsix`)
      )
      OR
      // Branch 3: IDE spawning suspicious child processes
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        AND re.regex($e.principal.process.file.full_path, `(?i)(code\.exe|code-insiders\.exe|idea\.exe|idea64\.exe|eclipse\.exe|webstorm\.exe|pycharm\.exe|pycharm64\.exe|phpstorm\.exe|rider\.exe|goland\.exe|clion\.exe|datagrip\.exe)`)
        AND re.regex($e.target.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|mshta\.exe|wscript\.exe|cscript\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|schtasks\.exe|whoami\.exe|nltest\.exe|curl\.exe|wget\.exe)`)
        AND NOT re.regex($e.target.process.command_line, `(?i)(git |npm |yarn |pip |cargo |dotnet |gradle|mvn |make |cmake|eslint|prettier|tsc )`)
      )
      OR
      // Branch 4: IDE making external non-HTTPS network connection
      (
        $e.metadata.event_type = "NETWORK_CONNECTION"
        AND re.regex($e.principal.process.file.full_path, `(?i)(code\.exe|code-insiders\.exe|idea\.exe|idea64\.exe|eclipse\.exe|webstorm\.exe|pycharm\.exe|pycharm64\.exe)`)
        AND NOT re.regex($e.target.ip, `^(10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|192\.168\.|127\.)`)
        AND $e.target.port != 80
        AND $e.target.port != 443
        AND $e.target.ip != ""
      )
    )
  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle UDM (PROCESS_LAUNCH events) Google Chronicle UDM (NETWORK_CONNECTION events) Endpoint Detection and Response telemetry forwarded to Chronicle

Required Tables

UDM events with metadata.event_type PROCESS_LAUNCH and NETWORK_CONNECTION

False Positives

Legitimate VSCode Remote Tunnels feature usage for developer remote work will match Branch 1 — create reference lists of approved developer devices and add a NOT $e.principal.hostname in %approved_developer_hosts condition
Internal extension distribution workflows where IT pushes custom .vsix packages to developer workstations will trigger Branch 2 — whitelist known software distribution accounts and hosts in a Chronicle reference list
IDEs running integrated terminal commands (git fetch, npm ci) where the intermediate shell is cmd.exe or PowerShell prior to the build command appearing — tune the negative regex to cover additional observed build invocation patterns

CrowdStrike LogScale (CQL)

cql

// T1176.002 — IDE Extension Abuse Detection
// Branch 1: VSCode tunnel creation (Mustang Panda reverse shell TTP)
#repo=base_sensor #event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(code\.exe|code-insiders\.exe|code-server)/
| CommandLine = /(?i)\btunnel\b/
| eval DetectionBranch = "VSCode-Tunnel-Reverse-Shell"
| eval RiskScore = 90

// Union Branch 2: VSIX side-load installation
| union [
  #repo=base_sensor #event_simpleName=ProcessRollup2
  | ImageFileName = /(?i)code.*\.exe/
  | CommandLine = /(?i)--install-extension.*\.vsix/
  | eval DetectionBranch = "VSIX-Extension-Sideload"
  | eval RiskScore = 75
]

// Union Branch 3: IDE spawning suspicious child processes
| union [
  #repo=base_sensor #event_simpleName=ProcessRollup2
  | ParentBaseFileName = /(?i)(code\.exe|code-insiders\.exe|idea\.exe|idea64\.exe|eclipse\.exe|webstorm\.exe|pycharm\.exe|pycharm64\.exe|phpstorm\.exe|rider\.exe|goland\.exe|clion\.exe|datagrip\.exe)/
  | ImageFileName = /(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|mshta\.exe|wscript\.exe|cscript\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|schtasks\.exe|whoami\.exe|nltest\.exe|curl\.exe|wget\.exe)/
  | CommandLine != /(?i)(git |npm |yarn |pip |cargo |dotnet |gradle|mvn |make |cmake|eslint|prettier|tsc )/
  | eval DetectionBranch = "IDE-Suspicious-Child-Process"
  | eval RiskScore = 70
]

// Union Branch 4: IDE external non-HTTPS network connection
| union [
  #repo=base_sensor #event_simpleName=NetworkConnectIP4
  | ImageFileName = /(?i)(code\.exe|code-insiders\.exe|idea\.exe|idea64\.exe|eclipse\.exe|webstorm\.exe|pycharm\.exe|pycharm64\.exe|phpstorm\.exe|rider\.exe|goland\.exe|clion\.exe)/
  | RemotePort != 80
  | RemotePort != 443
  | RemoteAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|192\.168\.|127\.)/
  | eval DetectionBranch = "IDE-External-NonHTTPS-Connection"
  | eval RiskScore = 60
]

// Aggregate and output
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, RemoteAddressIP4, RemotePort, DetectionBranch, RiskScore])
| sort(timestamp, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon sensor ProcessRollup2 events CrowdStrike Falcon sensor NetworkConnectIP4 events

Required Tables

#repo=base_sensor #event_simpleName=ProcessRollup2 #repo=base_sensor #event_simpleName=NetworkConnectIP4

False Positives

VSCode Remote Tunnels used legitimately — the tunnel branch will fire for every developer using this supported feature; build a suppression groupBy(ComputerName, UserName) with a count threshold or whitelist known tunnel users in a Falcon custom IOA exclusion
Penetration testers or red team operators using VSCode as a C2 delivery mechanism on their own authorized assessment targets — confirm with change management and scope documents before escalating
JetBrains IDEs on build servers connecting to artifact repositories (Nexus, Artifactory, private npm registries) on non-standard ports — baseline known build servers and add them to a ComputerName exclusion list for Branch 4

Last updated: 2026-04-18 Research depth: deep

References (8)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1176.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

IDE Extensions

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections