Detect IDE Extensions in Microsoft Sentinel
Adversaries may abuse an integrated development environment (IDE) extension to establish persistent access to victim systems. IDEs such as Visual Studio Code, IntelliJ IDEA, and Eclipse support extensions — software components that add features like code linting, auto-completion, task automation, or integration with external tools. A malicious extension can be installed through an extension marketplace or side-loaded directly into the IDE via a .vsix package. Once installed, the extension runs every time the IDE is launched, enabling persistent arbitrary code execution, backdoor establishment, cryptocurrency mining, or data exfiltration. Adversaries may also leverage benign extensions: for example, Mustang Panda has abused the VSCode built-in tunnel feature (code.exe tunnel) to establish persistent reverse shells routed through Microsoft infrastructure, bypassing firewall controls.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1176 Software Extensions
- Sub-technique
- T1176.002 IDE Extensions
- Canonical reference
- https://attack.mitre.org/techniques/T1176/002/
KQL Detection Query
let IDEProcesses = dynamic(["code.exe", "code-insiders.exe", "code-server", "idea.exe", "idea64.exe", "eclipse.exe", "webstorm.exe", "pycharm.exe", "pycharm64.exe", "phpstorm.exe", "rider.exe", "goland.exe", "clion.exe", "datagrip.exe"]);
let SuspiciousChildren = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "schtasks.exe", "net.exe", "net1.exe", "whoami.exe", "nltest.exe", "curl.exe", "wget.exe"]);
let LegitCmdPatterns = dynamic(["git ", "npm ", "yarn ", "pip ", "cargo ", "dotnet ", "gradle", "mvn ", "make ", "cmake", "eslint", "prettier", "tsc "]);
// Branch 1: VSCode tunnel creation (Mustang Panda reverse shell TTP)
let VscodeTunnel = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("code.exe", "code-insiders.exe", "code-server")
| where ProcessCommandLine has "tunnel"
| extend DetectionBranch = "VSCode-Tunnel-Reverse-Shell"
| extend RiskReason = "VSCode tunnel enables persistent remote code execution via Microsoft infrastructure";
// Branch 2: IDE spawning high-risk processes with no legitimate build pattern
let IDESuspiciousSpawn = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (IDEProcesses)
| where FileName in~ (SuspiciousChildren)
| where not (ProcessCommandLine has_any (LegitCmdPatterns))
| extend DetectionBranch = "IDE-Suspicious-Child-Process"
| extend RiskReason = strcat("IDE process ", InitiatingProcessFileName, " spawned ", FileName, " with non-build command line");
// Branch 3: VSIX extension side-load from outside marketplace
let VSIXSideload = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("code.exe", "code-insiders.exe")
| where ProcessCommandLine has "--install-extension" and ProcessCommandLine has ".vsix"
| extend DetectionBranch = "VSIX-Extension-Sideload"
| extend RiskReason = "Extension installed from local .vsix file — bypasses marketplace vetting";
// Branch 4: VSCode extension host making external network connections via child process
let ExtHostExternalConn = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("code.exe", "code-insiders.exe")
| where RemoteIPType == "Public"
| where RemotePort !in (80, 443)
| extend DetectionBranch = "IDE-External-NonHTTPS-Connection"
| extend RiskReason = strcat("IDE connected to public IP ", RemoteIP, " on non-standard port ", RemotePort)
| project Timestamp, DeviceName, AccountName, FileName=InitiatingProcessFileName, ProcessCommandLine=InitiatingProcessCommandLine, InitiatingProcessFileName="explorer.exe", InitiatingProcessCommandLine="", DetectionBranch, RiskReason;
// Union process and network branches
union VscodeTunnel, IDESuspiciousSpawn, VSIXSideload, ExtHostExternalConn
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch, RiskReason
| sort by Timestamp descMulti-branch detection targeting IDE extension abuse (T1176.002). Branch 1 detects VSCode tunnel creation — the Mustang Panda TTP that creates a reverse shell via Microsoft's tunnel infrastructure. Branch 2 detects IDEs spawning high-risk LOLBins (powershell, cmd, mshta, certutil) with non-build-related command lines, indicating potential malicious extension code execution. Branch 3 detects .vsix extension sideloading outside the marketplace vetting process. Branch 4 detects IDE processes making outbound connections on non-HTTP/HTTPS ports to public IPs, indicating potential backdoor C2 channels. Uses DeviceProcessEvents and DeviceNetworkEvents from Microsoft Defender for Endpoint.
Data Sources
Required Tables
False Positives & Tuning
- Developers using VSCode Remote Tunnels legitimately for authorized remote development — tunnel usage should be validated against IT-approved remote development policy
- Security researchers or penetration testers testing IDE extensions in authorized lab environments
- Extension developers side-loading their own .vsix files during local development and testing cycles
- Build pipelines that invoke cmd.exe or powershell.exe as part of IDE task runners (e.g., VSCode tasks.json running build scripts) — these will have predictable, repeatable command lines
- IDE extensions for Docker, Kubernetes, or cloud providers that legitimately connect to external management APIs on non-standard ports
Other platforms for T1176.002
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1VSCode Tunnel Creation (Mustang Panda TTP)
Expected signal: Sysmon Event ID 1: Process Create with Image=code.exe, CommandLine containing 'tunnel --accept-server-license-terms --name df00tech-test'. Sysmon Event ID 3: Network connection from code.exe to Microsoft tunnel infrastructure (*.tunnels.api.visualstudio.com or *.vscode.dev) on port 443. File creation events in %USERPROFILE%\.vscode\cli\servers\
- Test 2VSCode Extension Side-Load from Local VSIX
Expected signal: Sysmon Event ID 1: Process Create with Image=code.exe, CommandLine containing '--install-extension' and '.vsix'. Sysmon Event ID 11: File creation in %USERPROFILE%\.vscode\extensions\df00tech.df00tech-test-* directory. Sysmon Event ID 1 for powershell.exe (Compress-Archive) spawned to create the VSIX.
- Test 3IDE Extension Spawning PowerShell Command
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '-NoProfile -WindowStyle Hidden', ParentImage=powershell.exe. If executed from within a VSCode terminal or task, ParentImage will be code.exe or extensionHost process. Security Event ID 4688 (if command line auditing enabled).
- Test 4Enumerate Installed VSCode Extensions for Suspicious Entries
Expected signal: Sysmon Event ID 1: Process Create with Image=code.exe, CommandLine='--list-extensions --show-versions'. Output logged to console listing all installed extensions with version numbers. Sysmon Event ID 1 for any spawned processes (code.exe may spawn helpers).
- Test 5VSCode Extension Directory Modification via External Process
Expected signal: Sysmon Event ID 11: File Create with TargetFilename in %USERPROFILE%\.vscode\extensions\ and Image=cmd.exe (not code.exe or node.exe). Sysmon Event ID 1: Process Create for cmd.exe with CommandLine showing the write operation.
References (8)
- https://attack.mitre.org/techniques/T1176/002/
- https://www.mnemonic.io/resources/blog/misuse-of-visual-studio-code-for-traffic-tunnelling/
- https://thehackernews.com/2023/01/hackers-distributing-malicious-visual.html
- https://blog.checkpoint.com/securing-the-cloud/malicious-vscode-extensions-with-more-than-45k-downloads-steal-pii-and-enable-backdoors/
- https://blog.extensiontotal.com/mining-in-plain-sight-the-vs-code-extension-cryptojacking-campaign-19ca12904b59
- https://unit42.paloaltonetworks.com/chinese-threat-actors-using-vscode/
- https://code.visualstudio.com/docs/remote/tunnels
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md
Unlock Pro Content
Get the full detection package for T1176.002 including response playbook, investigation guide, and atomic red team tests.