Detect IDE Extensions in Sumo Logic CSE
Adversaries may abuse an integrated development environment (IDE) extension to establish persistent access to victim systems. IDEs such as Visual Studio Code, IntelliJ IDEA, and Eclipse support extensions — software components that add features like code linting, auto-completion, task automation, or integration with external tools. A malicious extension can be installed through an extension marketplace or side-loaded directly into the IDE via a .vsix package. Once installed, the extension runs every time the IDE is launched, enabling persistent arbitrary code execution, backdoor establishment, cryptocurrency mining, or data exfiltration. Adversaries may also leverage benign extensions: for example, Mustang Panda has abused the VSCode built-in tunnel feature (code.exe tunnel) to establish persistent reverse shells routed through Microsoft infrastructure, bypassing firewall controls.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1176 Software Extensions
- Sub-technique
- T1176.002 IDE Extensions
- Canonical reference
- https://attack.mitre.org/techniques/T1176/002/
Sumo Detection Query
_sourceCategory=*windows*sysmon* OR _sourceCategory=*endpoint*
| where EventID in ("1", "3") OR EventCode in ("1", "3")
| parse field=CommandLine "*" as cmd_line nodrop
| parse field=Image "*" as process_image nodrop
| parse field=ParentImage "*" as parent_image nodrop
| parse field=DestinationIp "*" as dest_ip nodrop
| parse field=DestinationPort "*" as dest_port nodrop
// Classify IDE processes
| eval is_ide_process = if (matches(process_image, "(?i)(code\.exe|code-insiders\.exe|code-server|idea\.exe|idea64\.exe|eclipse\.exe|webstorm\.exe|pycharm\.exe|pycharm64\.exe|phpstorm\.exe|rider\.exe|goland\.exe|clion\.exe|datagrip\.exe)"), 1, 0)
| eval is_ide_parent = if (matches(parent_image, "(?i)(code\.exe|code-insiders\.exe|idea\.exe|idea64\.exe|eclipse\.exe|webstorm\.exe|pycharm\.exe|pycharm64\.exe|phpstorm\.exe|rider\.exe|goland\.exe|clion\.exe|datagrip\.exe)"), 1, 0)
// Branch scores
| eval vscode_tunnel = if (matches(process_image, "(?i)code.*\.exe") AND matches(cmd_line, "(?i)\btunnel\b"), 1, 0)
| eval vsix_sideload = if (matches(process_image, "(?i)code.*\.exe") AND matches(cmd_line, "(?i)--install-extension.*\.vsix"), 1, 0)
| eval ide_suspicious_spawn = if (
is_ide_parent == 1
AND matches(process_image, "(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|mshta\.exe|wscript\.exe|cscript\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|schtasks\.exe|whoami\.exe|nltest\.exe)")
AND NOT matches(cmd_line, "(?i)(git |npm |yarn |pip |cargo |dotnet |gradle|mvn |make |cmake|eslint|prettier|tsc )"),
1, 0)
| eval ide_external_conn = if (
is_ide_process == 1
AND EventCode == "3"
AND NOT matches(dest_ip, "^(10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|192\.168\.|127\.)")
AND dest_port != "80" AND dest_port != "443",
1, 0)
| eval suspicion_score = vscode_tunnel + vsix_sideload + ide_suspicious_spawn + ide_external_conn
| where suspicion_score > 0
| eval detection_branch = if (vscode_tunnel == 1, "VSCode-Tunnel-Reverse-Shell",
if (vsix_sideload == 1, "VSIX-Extension-Sideload",
if (ide_suspicious_spawn == 1, "IDE-Suspicious-Child-Process",
if (ide_external_conn == 1, "IDE-External-NonHTTPS-Connection", "Multi-Branch"))))
| fields _messageTime, _sourceHost, User, process_image, cmd_line, parent_image, dest_ip, dest_port, detection_branch, suspicion_score
| sort by _messageTime descSumo Logic CSE query detecting IDE extension abuse across four detection branches: VSCode tunnel reverse shell (Mustang Panda TTP), VSIX side-loading from local files, IDE spawning high-risk child processes outside legitimate build patterns, and IDE processes making non-HTTPS external connections. Uses Sysmon EventID 1 and 3 telemetry.
Data Sources
Required Tables
False Positives & Tuning
- VSCode Remote Tunnel feature used legitimately by developers for remote coding — the 'tunnel' keyword in command line will always trigger; build a suppression list of approved developer hostnames and usernames
- Extension developers or security researchers testing custom VSIX packages locally before marketplace submission — these will trigger the VSIX sideload branch; correlate with DevSec or engineering department identity
- JetBrains IDEs running terminal tasks (npm install, pip install, gradle build) that chain through cmd.exe or PowerShell as intermediary shells — tune the LegitCmdPatterns exclusion list based on observed baseline
Other platforms for T1176.002
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1VSCode Tunnel Creation (Mustang Panda TTP)
Expected signal: Sysmon Event ID 1: Process Create with Image=code.exe, CommandLine containing 'tunnel --accept-server-license-terms --name df00tech-test'. Sysmon Event ID 3: Network connection from code.exe to Microsoft tunnel infrastructure (*.tunnels.api.visualstudio.com or *.vscode.dev) on port 443. File creation events in %USERPROFILE%\.vscode\cli\servers\
- Test 2VSCode Extension Side-Load from Local VSIX
Expected signal: Sysmon Event ID 1: Process Create with Image=code.exe, CommandLine containing '--install-extension' and '.vsix'. Sysmon Event ID 11: File creation in %USERPROFILE%\.vscode\extensions\df00tech.df00tech-test-* directory. Sysmon Event ID 1 for powershell.exe (Compress-Archive) spawned to create the VSIX.
- Test 3IDE Extension Spawning PowerShell Command
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '-NoProfile -WindowStyle Hidden', ParentImage=powershell.exe. If executed from within a VSCode terminal or task, ParentImage will be code.exe or extensionHost process. Security Event ID 4688 (if command line auditing enabled).
- Test 4Enumerate Installed VSCode Extensions for Suspicious Entries
Expected signal: Sysmon Event ID 1: Process Create with Image=code.exe, CommandLine='--list-extensions --show-versions'. Output logged to console listing all installed extensions with version numbers. Sysmon Event ID 1 for any spawned processes (code.exe may spawn helpers).
- Test 5VSCode Extension Directory Modification via External Process
Expected signal: Sysmon Event ID 11: File Create with TargetFilename in %USERPROFILE%\.vscode\extensions\ and Image=cmd.exe (not code.exe or node.exe). Sysmon Event ID 1: Process Create for cmd.exe with CommandLine showing the write operation.
References (8)
- https://attack.mitre.org/techniques/T1176/002/
- https://www.mnemonic.io/resources/blog/misuse-of-visual-studio-code-for-traffic-tunnelling/
- https://thehackernews.com/2023/01/hackers-distributing-malicious-visual.html
- https://blog.checkpoint.com/securing-the-cloud/malicious-vscode-extensions-with-more-than-45k-downloads-steal-pii-and-enable-backdoors/
- https://blog.extensiontotal.com/mining-in-plain-sight-the-vs-code-extension-cryptojacking-campaign-19ca12904b59
- https://unit42.paloaltonetworks.com/chinese-threat-actors-using-vscode/
- https://code.visualstudio.com/docs/remote/tunnels
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md
Unlock Pro Content
Get the full detection package for T1176.002 including response playbook, investigation guide, and atomic red team tests.