T1219.001 Splunk · SPL

Detect IDE Tunneling in Splunk

Adversaries may abuse Integrated Development Environment (IDE) software with remote development features to establish an interactive command and control channel on target systems within a network. IDE tunneling combines SSH, port forwarding, file sharing, and debugging into a single secure connection, letting developers work on remote systems as if they were local. Unlike SSH and port forwarding, IDE tunneling encapsulates an entire session and may use proprietary tunneling protocols alongside SSH, allowing adversaries to blend in with legitimate development workflows. Some IDEs, like Visual Studio Code, provide CLI tools (e.g., code tunnel) that adversaries may use to programmatically establish tunnels and generate web-accessible URLs for remote access. These tunnels can be authenticated through accounts such as GitHub, enabling the adversary to control the compromised system via a legitimate developer portal.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1219 Remote Access Tools
Sub-technique
T1219.001 IDE Tunneling
Canonical reference
https://attack.mitre.org/techniques/T1219/001/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\code.exe" OR Image="*\\code-tunnel.exe" OR Image="*\\code-insiders.exe"
   OR Image="*\\devtunnel.exe" OR Image="*\\devtunnel"
   OR Image="*\\jetbrains-gateway.exe" OR Image="*\\gateway.exe"
   OR Image="*\\remote-dev-server*" OR Image="*\\cursor.exe"
   OR CommandLine="*tunnel*" OR CommandLine="*serve-web*" OR CommandLine="*--remote-tunnel*")
| eval IsTunnelCommand=if(match(CommandLine, "(?i)tunnel"), 1, 0)
| eval IsCodeCLI=if(match(Image, "(?i)(code\.exe|code-tunnel|code-insiders)"), 1, 0)
| eval IsJetBrains=if(match(Image, "(?i)(jetbrains-gateway|gateway\.exe|remote-dev-server|idea|pycharm)"), 1, 0)
| eval HasGitHubAuth=if(match(CommandLine, "(?i)(--github|github|--provider\s+github)"), 1, 0)
| eval IsHeadless=if(match(CommandLine, "(?i)(--cli|--no-browser|--accept-server-license-terms|serve-web)"), 1, 0)
| eval RiskScore=IsTunnelCommand + HasGitHubAuth + IsHeadless
| where IsTunnelCommand=1 OR IsCodeCLI=1 OR IsJetBrains=1
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IsTunnelCommand, IsCodeCLI, IsJetBrains, HasGitHubAuth, IsHeadless, RiskScore
| sort - _time
high severity high confidence

Detects IDE tunneling activity via Sysmon Process Creation logs (Event ID 1). Identifies VS Code tunnel CLI execution, JetBrains Gateway remote development sessions, and DevTunnel usage. Assigns a risk score based on tunnel command presence, GitHub authentication, and headless execution mode. Higher scores indicate more suspicious usage patterns consistent with adversary C2 techniques documented in Operation Digital Eye and Mustang Panda campaigns.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Software developers using VS Code Remote Development extension for legitimate remote coding workflows
  • DevOps engineers using JetBrains Gateway to connect to cloud-based development environments
  • CI/CD pipelines invoking VS Code CLI or DevTunnel for automated integration testing
  • IT administrators using VS Code tunnel for remote server management
Download portable Sigma rule (.yml)

Other platforms for T1219.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1VS Code CLI Tunnel Initiation

    Expected signal: Sysmon Event ID 1: Process Create with Image=code.exe, CommandLine containing 'tunnel --accept-server-license-terms --name test-tunnel'. Sysmon Event ID 22: DNS query for tunnels.api.visualstudio.com. If tunnel starts: Sysmon Event ID 3 for HTTPS connection to tunnel relay servers.

  2. Test 2DevTunnel CLI Tunnel Creation

    Expected signal: Sysmon Event ID 1: Process Create with Image=devtunnel.exe, CommandLine containing 'host --port 8080 --allow-anonymous'. Sysmon Event ID 22: DNS query for devtunnels.ms. Sysmon Event ID 3: Network connection to Microsoft tunnel infrastructure.

  3. Test 3VS Code Tunnel Persistence via Scheduled Task

    Expected signal: Security Event ID 4698: Scheduled task created with TaskContent containing 'code.exe tunnel'. Sysmon Event ID 1: Process Create for schtasks.exe with command line showing the tunnel command. The scheduled task itself won't execute (non-existent path) but the creation event fires.

Last updated: 2026-04-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1219.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1219Remote Access Tools

Related Sub-techniques

T1219.002Remote Desktop SoftwareT1219.003Remote Access Hardware

Related Techniques

T1219Remote Access ToolsT1219.002Remote Desktop SoftwareT1572Protocol TunnelingT1071.001Web ProtocolsT1176.002IDE ExtensionsT1053.005Scheduled TaskT1547.001Registry Run Keys / Startup FolderT1105Ingress Tool TransferT1021.004SSH

Same Tactic: Command and Control

Popular Detections