T1176.002 IBM QRadar · QRadar

Detect IDE Extensions in IBM QRadar

Adversaries may abuse an integrated development environment (IDE) extension to establish persistent access to victim systems. IDEs such as Visual Studio Code, IntelliJ IDEA, and Eclipse support extensions — software components that add features like code linting, auto-completion, task automation, or integration with external tools. A malicious extension can be installed through an extension marketplace or side-loaded directly into the IDE via a .vsix package. Once installed, the extension runs every time the IDE is launched, enabling persistent arbitrary code execution, backdoor establishment, cryptocurrency mining, or data exfiltration. Adversaries may also leverage benign extensions: for example, Mustang Panda has abused the VSCode built-in tunnel feature (code.exe tunnel) to establish persistent reverse shells routed through Microsoft infrastructure, bypassing firewall controls.

MITRE ATT&CK

Tactic
Persistence
Technique
T1176 Software Extensions
Sub-technique
T1176.002 IDE Extensions
Canonical reference
https://attack.mitre.org/techniques/T1176/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  destinationport,
  username,
  "Image" AS process_image,
  "CommandLine" AS command_line,
  "ParentImage" AS parent_image,
  CASE
    WHEN LOWER("CommandLine") LIKE '%tunnel%' AND (LOWER("Image") LIKE '%code.exe%' OR LOWER("Image") LIKE '%code-insiders.exe%') THEN 'VSCode-Tunnel-Reverse-Shell'
    WHEN LOWER("CommandLine") LIKE '%--install-extension%.vsix%' THEN 'VSIX-Extension-Sideload'
    WHEN (LOWER("ParentImage") LIKE '%code.exe%' OR LOWER("ParentImage") LIKE '%idea%.exe%' OR LOWER("ParentImage") LIKE '%eclipse.exe%' OR LOWER("ParentImage") LIKE '%pycharm%.exe%') AND (LOWER("Image") LIKE '%cmd.exe%' OR LOWER("Image") LIKE '%powershell.exe%' OR LOWER("Image") LIKE '%mshta.exe%' OR LOWER("Image") LIKE '%wscript.exe%' OR LOWER("Image") LIKE '%cscript.exe%' OR LOWER("Image") LIKE '%rundll32.exe%' OR LOWER("Image") LIKE '%certutil.exe%' OR LOWER("Image") LIKE '%bitsadmin.exe%' OR LOWER("Image") LIKE '%schtasks.exe%') AND NOT (LOWER("CommandLine") LIKE '%git %' OR LOWER("CommandLine") LIKE '%npm %' OR LOWER("CommandLine") LIKE '%yarn %' OR LOWER("CommandLine") LIKE '%pip %' OR LOWER("CommandLine") LIKE '%cargo %' OR LOWER("CommandLine") LIKE '%dotnet %' OR LOWER("CommandLine") LIKE '%gradle%' OR LOWER("CommandLine") LIKE '%mvn %' OR LOWER("CommandLine") LIKE '%make %' OR LOWER("CommandLine") LIKE '%cmake%') THEN 'IDE-Suspicious-Child-Process'
    WHEN (LOWER("Image") LIKE '%code.exe%' OR LOWER("Image") LIKE '%idea%.exe%') AND NOT (destinationip LIKE '10.%' OR destinationip LIKE '192.168.%' OR destinationip LIKE '172.1%.%' OR destinationip LIKE '172.2%.%' OR destinationip LIKE '172.3_.%' OR destinationip = '127.0.0.1') AND destinationport NOT IN (80, 443) THEN 'IDE-External-NonHTTPS-Connection'
    ELSE 'Unknown'
  END AS detection_branch
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND (
    (LOWER("CommandLine") LIKE '%tunnel%' AND (LOWER("Image") LIKE '%code.exe%' OR LOWER("Image") LIKE '%code-insiders.exe%'))
    OR (LOWER("CommandLine") LIKE '%--install-extension%.vsix%')
    OR (
      (LOWER("ParentImage") LIKE '%code.exe%' OR LOWER("ParentImage") LIKE '%idea%.exe%' OR LOWER("ParentImage") LIKE '%eclipse.exe%' OR LOWER("ParentImage") LIKE '%pycharm%.exe%' OR LOWER("ParentImage") LIKE '%webstorm.exe%' OR LOWER("ParentImage") LIKE '%phpstorm.exe%' OR LOWER("ParentImage") LIKE '%rider.exe%' OR LOWER("ParentImage") LIKE '%goland.exe%' OR LOWER("ParentImage") LIKE '%clion.exe%')
      AND (LOWER("Image") LIKE '%cmd.exe%' OR LOWER("Image") LIKE '%powershell.exe%' OR LOWER("Image") LIKE '%pwsh.exe%' OR LOWER("Image") LIKE '%mshta.exe%' OR LOWER("Image") LIKE '%wscript.exe%' OR LOWER("Image") LIKE '%cscript.exe%' OR LOWER("Image") LIKE '%rundll32.exe%' OR LOWER("Image") LIKE '%regsvr32.exe%' OR LOWER("Image") LIKE '%certutil.exe%' OR LOWER("Image") LIKE '%bitsadmin.exe%' OR LOWER("Image") LIKE '%schtasks.exe%')
      AND NOT (LOWER("CommandLine") LIKE '%git %' OR LOWER("CommandLine") LIKE '%npm %' OR LOWER("CommandLine") LIKE '%yarn %' OR LOWER("CommandLine") LIKE '%pip %' OR LOWER("CommandLine") LIKE '%gradle%' OR LOWER("CommandLine") LIKE '%mvn %' OR LOWER("CommandLine") LIKE '%make %' OR LOWER("CommandLine") LIKE '%cmake%' OR LOWER("CommandLine") LIKE '%eslint%' OR LOWER("CommandLine") LIKE '%prettier%' OR LOWER("CommandLine") LIKE '%tsc %')
    )
    OR (
      (LOWER("Image") LIKE '%code.exe%' OR LOWER("Image") LIKE '%code-insiders.exe%' OR LOWER("Image") LIKE '%idea%.exe%')
      AND NOT (destinationip LIKE '10.%' OR destinationip LIKE '192.168.%' OR destinationip = '127.0.0.1')
      AND destinationport NOT IN (80, 443)
      AND destinationip IS NOT NULL
    )
  )
  AND DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') > DATEADD('hour', -24, NOW())
ORDER BY devicetime DESC
LIMIT 500
high severity medium confidence

AQL query against QRadar SIEM detecting malicious IDE extension abuse including VSCode tunnel creation, VSIX side-loading, IDE processes spawning suspicious child processes without legitimate build context, and IDE processes making non-HTTPS external network connections.

Data Sources

Sysmon Event ID 1 (Process Create)Sysmon Event ID 3 (Network Connection)Windows Security Event Log

Required Tables

events

False Positives & Tuning

  • Developers using VSCode Remote Tunnels as a supported feature for remote development workflows — review tunnel usage against known developer assets and establish a whitelist of approved tunnel users
  • IT administrators side-loading approved internal tooling extensions via .vsix files on developer workstations — validate against approved software deployment records
  • Automated test frameworks or build pipelines that run tests via PowerShell or cmd.exe invoked from within JetBrains IDE run configurations — baseline normal build pipeline behavior per host
Download portable Sigma rule (.yml)

Other platforms for T1176.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1VSCode Tunnel Creation (Mustang Panda TTP)

    Expected signal: Sysmon Event ID 1: Process Create with Image=code.exe, CommandLine containing 'tunnel --accept-server-license-terms --name df00tech-test'. Sysmon Event ID 3: Network connection from code.exe to Microsoft tunnel infrastructure (*.tunnels.api.visualstudio.com or *.vscode.dev) on port 443. File creation events in %USERPROFILE%\.vscode\cli\servers\

  2. Test 2VSCode Extension Side-Load from Local VSIX

    Expected signal: Sysmon Event ID 1: Process Create with Image=code.exe, CommandLine containing '--install-extension' and '.vsix'. Sysmon Event ID 11: File creation in %USERPROFILE%\.vscode\extensions\df00tech.df00tech-test-* directory. Sysmon Event ID 1 for powershell.exe (Compress-Archive) spawned to create the VSIX.

  3. Test 3IDE Extension Spawning PowerShell Command

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '-NoProfile -WindowStyle Hidden', ParentImage=powershell.exe. If executed from within a VSCode terminal or task, ParentImage will be code.exe or extensionHost process. Security Event ID 4688 (if command line auditing enabled).

  4. Test 4Enumerate Installed VSCode Extensions for Suspicious Entries

    Expected signal: Sysmon Event ID 1: Process Create with Image=code.exe, CommandLine='--list-extensions --show-versions'. Output logged to console listing all installed extensions with version numbers. Sysmon Event ID 1 for any spawned processes (code.exe may spawn helpers).

  5. Test 5VSCode Extension Directory Modification via External Process

    Expected signal: Sysmon Event ID 11: File Create with TargetFilename in %USERPROFILE%\.vscode\extensions\ and Image=cmd.exe (not code.exe or node.exe). Sysmon Event ID 1: Process Create for cmd.exe with CommandLine showing the write operation.

Last updated: 2026-04-18 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1176.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1176Software Extensions

Related Sub-techniques

T1176.001Browser Extensions

Related Techniques

T1176Software ExtensionsT1219.001IDE TunnelingT1195.001Compromise Software Dependencies and Development ToolsT1059.007JavaScriptT1027Obfuscated Files or InformationT1071.001Web ProtocolsT1552.001Credentials In FilesT1053.005Scheduled TaskT1543.003Windows ServiceT1056.001KeyloggingT1041Exfiltration Over C2 Channel

Same Tactic: Persistence

Popular Detections