T1219.001 IDE Tunneling Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let IDETunnelProcesses = dynamic([
  "code.exe", "code-tunnel.exe", "code-insiders.exe",
  "code", "code-tunnel",
  "devtunnel.exe", "devtunnel",
  "jetbrains-gateway.exe", "gateway.exe",
  "remote-dev-server.sh", "idea.sh", "pycharm.sh",
  "cursor.exe", "cursor",
  "windsurf.exe"
]);
let TunnelArguments = dynamic([
  "tunnel", "--remote-tunnel", "serve-web",
  "tunnel --accept-server-license-terms",
  "remote-ssh", "dev-tunnel",
  "--host 0.0.0.0"
]);
let TunnelDomains = dynamic([
  "tunnels.api.visualstudio.com", "global.rel.tunnels.api.visualstudio.com",
  "devtunnels.ms", ".tunnels.api.visualstudio.com",
  "vscode.dev", "*.vscode.dev",
  "code.visualstudio.com",
  "gateway.jetbrains.com", "code-server.dev"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (IDETunnelProcesses)
    or ProcessCommandLine has_any (TunnelArguments)
| extend IsTunnelCommand = ProcessCommandLine has "tunnel"
| extend IsCodeCLI = FileName in~ ("code.exe", "code", "code-tunnel.exe", "code-tunnel", "code-insiders.exe")
| extend IsJetBrains = FileName has_any ("jetbrains-gateway", "gateway.exe", "remote-dev-server", "idea", "pycharm")
| extend HasGitHubAuth = ProcessCommandLine has_any ("--github", "github", "--provider github")
| extend IsHeadless = ProcessCommandLine has_any ("--cli", "--no-browser", "--accept-server-license-terms", "serve-web")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         IsTunnelCommand, IsCodeCLI, IsJetBrains, HasGitHubAuth, IsHeadless
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Network Traffic: Network Connection Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Software developers using VS Code Remote Development extension to work on remote servers or containers as part of normal development workflows
DevOps engineers using JetBrains Gateway to connect to remote build servers or cloud development environments (GitHub Codespaces, Gitpod)
CI/CD pipeline agents that invoke VS Code CLI or DevTunnel for automated testing or deployment tasks
IT administrators using VS Code tunnel to remotely troubleshoot servers from their workstations

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\code.exe" OR Image="*\\code-tunnel.exe" OR Image="*\\code-insiders.exe"
   OR Image="*\\devtunnel.exe" OR Image="*\\devtunnel"
   OR Image="*\\jetbrains-gateway.exe" OR Image="*\\gateway.exe"
   OR Image="*\\remote-dev-server*" OR Image="*\\cursor.exe"
   OR CommandLine="*tunnel*" OR CommandLine="*serve-web*" OR CommandLine="*--remote-tunnel*")
| eval IsTunnelCommand=if(match(CommandLine, "(?i)tunnel"), 1, 0)
| eval IsCodeCLI=if(match(Image, "(?i)(code\.exe|code-tunnel|code-insiders)"), 1, 0)
| eval IsJetBrains=if(match(Image, "(?i)(jetbrains-gateway|gateway\.exe|remote-dev-server|idea|pycharm)"), 1, 0)
| eval HasGitHubAuth=if(match(CommandLine, "(?i)(--github|github|--provider\s+github)"), 1, 0)
| eval IsHeadless=if(match(CommandLine, "(?i)(--cli|--no-browser|--accept-server-license-terms|serve-web)"), 1, 0)
| eval RiskScore=IsTunnelCommand + HasGitHubAuth + IsHeadless
| where IsTunnelCommand=1 OR IsCodeCLI=1 OR IsJetBrains=1
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IsTunnelCommand, IsCodeCLI, IsJetBrains, HasGitHubAuth, IsHeadless, RiskScore
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Software developers using VS Code Remote Development extension for legitimate remote coding workflows
DevOps engineers using JetBrains Gateway to connect to cloud-based development environments
CI/CD pipelines invoking VS Code CLI or DevTunnel for automated integration testing
IT administrators using VS Code tunnel for remote server management

Elastic Security (EQL)

eql

process where event.type == "start"
  and (
    process.name in~ (
      "code.exe", "code-tunnel.exe", "code-insiders.exe", "code", "code-tunnel",
      "devtunnel.exe", "devtunnel", "jetbrains-gateway.exe", "gateway.exe",
      "remote-dev-server.sh", "idea.sh", "pycharm.sh",
      "cursor.exe", "cursor", "windsurf.exe"
    )
    or process.command_line like~ (
      "*tunnel*", "*serve-web*", "*--remote-tunnel*",
      "*dev-tunnel*", "*--host 0.0.0.0*",
      "*--accept-server-license-terms*", "*--no-browser*"
    )
  )

high severity high confidence

Data Sources

Elastic Endpoint Security agent (endpoint.events.process) Winlogbeat with Sysmon module (winlogbeat-*) Filebeat auditd module for Linux (filebeat-*)

Required Tables

logs-endpoint.events.process-* winlogbeat-* filebeat-*

False Positives

Authorized software developers using VS Code Remote Tunnels or JetBrains Gateway for legitimate remote development on approved cloud VMs or home office machines.
DevOps engineers using the devtunnel CLI as part of Azure Developer CLI (azd) workflows to expose local services for integration testing in CI/CD pipelines.
IT support staff or platform engineering teams using Cursor or Windsurf AI editors with built-in remote SSH capabilities for sanctioned pair programming or incident response on remote hosts.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  hostname AS HostName,
  username AS UserName,
  "Process Name" AS ProcessName,
  "Command" AS CommandLine,
  "Parent Process Path" AS ParentProcess,
  LOGSOURCETYPENAME(devicetype) AS LogSourceType,
  sourceip AS SourceIP
FROM events
WHERE
  (
    LOWER("Process Name") IN (
      'code.exe', 'code-tunnel.exe', 'code-insiders.exe', 'code', 'code-tunnel',
      'devtunnel.exe', 'devtunnel', 'jetbrains-gateway.exe', 'gateway.exe',
      'remote-dev-server.sh', 'idea.sh', 'pycharm.sh',
      'cursor.exe', 'cursor', 'windsurf.exe'
    )
    OR LOWER("Command") LIKE '%tunnel%'
    OR LOWER("Command") LIKE '%serve-web%'
    OR LOWER("Command") LIKE '%-remote-tunnel%'
    OR LOWER("Command") LIKE '%dev-tunnel%'
    OR LOWER("Command") LIKE '%-host 0.0.0.0%'
    OR LOWER("Command") LIKE '%-accept-server-license-terms%'
  )
ORDER BY starttime DESC
LAST 24 HOURS

high severity high confidence

Data Sources

IBM QRadar SIEM with Microsoft Windows Sysmon DSM QRadar WinCollect agent collecting Sysmon EventID 1 (Process Create) QRadar Linux auditd DSM for Linux process telemetry

Required Tables

events

False Positives

Engineering teams in organizations that have formally approved VS Code Remote Tunnels or JetBrains Gateway as standard remote development tooling, generating high volumes of matching process events during normal business hours.
DevOps automation using devtunnel to create temporary preview URLs for pull request deployments in Azure-integrated pipelines — will appear as headless tunnel commands from build agent service accounts.
Security research teams using IDE tunnel binaries in isolated lab environments to study adversary techniques, where the tunnel destination is internal and monitored.

Sumo Logic CSE

sql

(_sourceCategory="*sysmon*" OR _sourceCategory="*windows/sysmon*" OR _sourceCategory="*endpoint/process*")
| where EventID = "1"
| where (
    toLowerCase(Image) matches /.*?(code\.exe|code-tunnel\.exe|code-insiders\.exe|code-tunnel|devtunnel\.exe|devtunnel|jetbrains-gateway\.exe|gateway\.exe|remote-dev-server\.sh|idea\.sh|pycharm\.sh|cursor\.exe|windsurf\.exe)$/
    or toLowerCase(CommandLine) contains "tunnel"
    or toLowerCase(CommandLine) contains "serve-web"
    or toLowerCase(CommandLine) contains "--remote-tunnel"
    or toLowerCase(CommandLine) contains "dev-tunnel"
    or toLowerCase(CommandLine) contains "--host 0.0.0.0"
    or toLowerCase(CommandLine) contains "--accept-server-license-terms"
  )
| eval IsTunnelCommand = if (toLowerCase(CommandLine) contains "tunnel", "true", "false")
| eval IsCodeCLI = if (toLowerCase(Image) matches /.*?(code\.exe|code-tunnel\.exe|code-insiders\.exe|code-tunnel)$/, "true", "false")
| eval IsJetBrains = if (toLowerCase(Image) matches /.*?(jetbrains-gateway\.exe|gateway\.exe|remote-dev-server\.sh|idea\.sh|pycharm\.sh)$/, "true", "false")
| eval HasGitHubAuth = if (toLowerCase(CommandLine) contains "github" or toLowerCase(CommandLine) contains "--provider github", "true", "false")
| eval IsHeadless = if (
    toLowerCase(CommandLine) contains "--no-browser"
    or toLowerCase(CommandLine) contains "--accept-server-license-terms"
    or toLowerCase(CommandLine) contains "serve-web"
    or toLowerCase(CommandLine) contains "--cli", "true", "false")
| fields _messagetime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, IsTunnelCommand, IsCodeCLI, IsJetBrains, HasGitHubAuth, IsHeadless
| sort by _messagetime desc

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM with Sysmon collector Sumo Logic installed collector with Windows Event Log source (Sysmon channel) Sumo Logic Endpoint Security source category

Required Tables

Sysmon EventID 1 events via configured _sourceCategory

False Positives

Developers on engineering teams running VS Code with Remote Tunnels or JetBrains Gateway enabled as an approved tool for cloud-based development environments, generating matching process events from known developer workstations.
Automated CI/CD build agents invoking devtunnel or code-tunnel to expose ephemeral preview environments for pull request review workflows, appearing as service account process launches.
Corporate help desk using Cursor or VS Code with remote development features to access end-user machines during IT support sessions conducted under a formal access request process.

Google Chronicle / SecOps

yaral

rule ide_tunneling_t1219_001 {
  meta:
    author = "Detection Engineering"
    description = "Detects IDE tunneling (T1219.001) — adversaries abusing VS Code tunnel CLI, Microsoft devtunnel, JetBrains Gateway, Cursor, or Windsurf remote features to establish interactive C2 channels blending with legitimate developer workflows."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1219.001"
    mitre_attack_technique_name = "IDE Tunneling"
    reference = "https://attack.mitre.org/techniques/T1219/001/"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path,
        `(?i)(code\.exe|code-tunnel\.exe|code-insiders\.exe|code-tunnel|devtunnel\.exe|devtunnel|jetbrains-gateway\.exe|gateway\.exe|remote-dev-server\.sh|idea\.sh|pycharm\.sh|cursor\.exe|cursor|windsurf\.exe)$`)
      or
      re.regex($e.target.process.command_line,
        `(?i)(\btunnel\b|--remote-tunnel|serve-web|dev-tunnel|--host\s+0\.0\.0\.0|--accept-server-license-terms|--no-browser|--provider\s+github)`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM with UDM normalization Chronicle Endpoint telemetry (CrowdStrike, SentinelOne, or Carbon Black ingested via Chronicle forwarder) Chronicle Windows Event Log ingestion with UDM mapping for Sysmon EventID 1

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives

Sanctioned use of VS Code Remote Tunnels or JetBrains Gateway by developers in organizations that have explicitly approved cloud IDE tunneling as part of their remote work policy, particularly visible from known developer asset groups.
Automated build systems or GitHub Actions runners invoking devtunnel or code-tunnel to create preview environments, where the initiating principal is a service account on a CI/CD host.
Security operations analysts using IDE tunnel features to access isolated sandbox or malware analysis environments, where process launches originate from dedicated SOC workstations.

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| FileName = /^(code\.exe|code-tunnel\.exe|code-insiders\.exe|code|code-tunnel|devtunnel\.exe|devtunnel|jetbrains-gateway\.exe|gateway\.exe|remote-dev-server\.sh|idea\.sh|pycharm\.sh|cursor\.exe|cursor|windsurf\.exe)$/i
  OR CommandLine = /tunnel|--remote-tunnel|serve-web|dev-tunnel|--host\s+0\.0\.0\.0|--accept-server-license-terms|--no-browser/i
| IsTunnelCommand := if(CommandLine = /tunnel/i, "true", "false")
| IsCodeCLI := if(FileName = /^(code\.exe|code-tunnel\.exe|code-insiders\.exe|code|code-tunnel)$/i, "true", "false")
| IsJetBrains := if(FileName = /^(jetbrains-gateway\.exe|gateway\.exe|remote-dev-server\.sh|idea\.sh|pycharm\.sh)$/i, "true", "false")
| HasGitHubAuth := if(CommandLine = /--github|github|--provider\s+github/i, "true", "false")
| IsHeadless := if(CommandLine = /(--cli|--no-browser|--accept-server-license-terms|serve-web)/i, "true", "false")
| table([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, IsTunnelCommand, IsCodeCLI, IsJetBrains, HasGitHubAuth, IsHeadless])
| sort(timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection (Falcon sensor ProcessRollup2 telemetry) CrowdStrike LogScale (Humio) SIEM Falcon Event Stream — process execution events

Required Tables

ProcessRollup2 (Falcon sensor event stream)

False Positives

Developer workstations enrolled in a corporate VS Code Remote Tunnels program where engineering policy permits cloud-based development environments, generating frequent matching ProcessRollup2 events from known asset groups.
DevOps pipeline agents using devtunnel as part of Azure-integrated developer toolchains to expose local services for API testing, appearing as automated service account process launches on CI/CD hosts.
Platform engineering teams using JetBrains Remote Development or JetBrains Gateway to provision and connect to centrally managed cloud developer environments (CDEs), where the gateway process is expected on provisioning hosts.

IDE Tunneling

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Command and Control

Popular Detections