Detect IDE Tunneling in Microsoft Sentinel
Adversaries may abuse Integrated Development Environment (IDE) software with remote development features to establish an interactive command and control channel on target systems within a network. IDE tunneling combines SSH, port forwarding, file sharing, and debugging into a single secure connection, letting developers work on remote systems as if they were local. Unlike SSH and port forwarding, IDE tunneling encapsulates an entire session and may use proprietary tunneling protocols alongside SSH, allowing adversaries to blend in with legitimate development workflows. Some IDEs, like Visual Studio Code, provide CLI tools (e.g., code tunnel) that adversaries may use to programmatically establish tunnels and generate web-accessible URLs for remote access. These tunnels can be authenticated through accounts such as GitHub, enabling the adversary to control the compromised system via a legitimate developer portal.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1219 Remote Access Tools
- Sub-technique
- T1219.001 IDE Tunneling
- Canonical reference
- https://attack.mitre.org/techniques/T1219/001/
KQL Detection Query
let IDETunnelProcesses = dynamic([
"code.exe", "code-tunnel.exe", "code-insiders.exe",
"code", "code-tunnel",
"devtunnel.exe", "devtunnel",
"jetbrains-gateway.exe", "gateway.exe",
"remote-dev-server.sh", "idea.sh", "pycharm.sh",
"cursor.exe", "cursor",
"windsurf.exe"
]);
let TunnelArguments = dynamic([
"tunnel", "--remote-tunnel", "serve-web",
"tunnel --accept-server-license-terms",
"remote-ssh", "dev-tunnel",
"--host 0.0.0.0"
]);
let TunnelDomains = dynamic([
"tunnels.api.visualstudio.com", "global.rel.tunnels.api.visualstudio.com",
"devtunnels.ms", ".tunnels.api.visualstudio.com",
"vscode.dev", "*.vscode.dev",
"code.visualstudio.com",
"gateway.jetbrains.com", "code-server.dev"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (IDETunnelProcesses)
or ProcessCommandLine has_any (TunnelArguments)
| extend IsTunnelCommand = ProcessCommandLine has "tunnel"
| extend IsCodeCLI = FileName in~ ("code.exe", "code", "code-tunnel.exe", "code-tunnel", "code-insiders.exe")
| extend IsJetBrains = FileName has_any ("jetbrains-gateway", "gateway.exe", "remote-dev-server", "idea", "pycharm")
| extend HasGitHubAuth = ProcessCommandLine has_any ("--github", "github", "--provider github")
| extend IsHeadless = ProcessCommandLine has_any ("--cli", "--no-browser", "--accept-server-license-terms", "serve-web")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
IsTunnelCommand, IsCodeCLI, IsJetBrains, HasGitHubAuth, IsHeadless
| sort by Timestamp descDetects IDE tunneling activity via process creation events in Microsoft Defender for Endpoint. Identifies Visual Studio Code tunnel commands (code tunnel, code-tunnel), JetBrains Gateway remote development, and DevTunnel CLI usage. Flags headless/CLI-only tunnel sessions and GitHub-authenticated tunnels which are commonly abused by threat actors like Mustang Panda for C2. Distinguishes between VS Code and JetBrains IDE families.
Data Sources
Required Tables
False Positives & Tuning
- Software developers using VS Code Remote Development extension to work on remote servers or containers as part of normal development workflows
- DevOps engineers using JetBrains Gateway to connect to remote build servers or cloud development environments (GitHub Codespaces, Gitpod)
- CI/CD pipeline agents that invoke VS Code CLI or DevTunnel for automated testing or deployment tasks
- IT administrators using VS Code tunnel to remotely troubleshoot servers from their workstations
Other platforms for T1219.001
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1VS Code CLI Tunnel Initiation
Expected signal: Sysmon Event ID 1: Process Create with Image=code.exe, CommandLine containing 'tunnel --accept-server-license-terms --name test-tunnel'. Sysmon Event ID 22: DNS query for tunnels.api.visualstudio.com. If tunnel starts: Sysmon Event ID 3 for HTTPS connection to tunnel relay servers.
- Test 2DevTunnel CLI Tunnel Creation
Expected signal: Sysmon Event ID 1: Process Create with Image=devtunnel.exe, CommandLine containing 'host --port 8080 --allow-anonymous'. Sysmon Event ID 22: DNS query for devtunnels.ms. Sysmon Event ID 3: Network connection to Microsoft tunnel infrastructure.
- Test 3VS Code Tunnel Persistence via Scheduled Task
Expected signal: Security Event ID 4698: Scheduled task created with TaskContent containing 'code.exe tunnel'. Sysmon Event ID 1: Process Create for schtasks.exe with command line showing the tunnel command. The scheduled task itself won't execute (non-existent path) but the creation event fires.
References (8)
- https://attack.mitre.org/techniques/T1219/001/
- https://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/
- https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/
- https://medium.com/@truvis.thornton/visual-studio-code-embedded-reverse-shell-and-how-to-block-create-sentinel-detection-and-add-e864ebafaf6d
- https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview
- https://code.visualstudio.com/docs/remote/tunnels
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1219.001 including response playbook, investigation guide, and atomic red team tests.