title: IDE Extensions (T1176.002)
id: df00tech-t1176-002
status: experimental
description: "Adversaries may abuse an integrated development environment (IDE) extension to establish persistent access to victim systems. IDEs such as Visual Studio Code, IntelliJ IDEA, and Eclipse support extensions — software components that add features like code linting, auto-completion, task automation, or integration with external tools. A malicious extension can be installed through an extension marketplace or side-loaded directly into the IDE via a .vsix package. Once installed, the extension runs every time the IDE is launched, enabling persistent arbitrary code execution, backdoor establishment, cryptocurrency mining, or data exfiltration. Adversaries may also leverage benign extensions: for example, Mustang Panda has abused the VSCode built-in tunnel feature (code.exe tunnel) to establish persistent reverse shells routed through Microsoft infrastructure, bypassing firewall controls."
references:
  - https://attack.mitre.org/techniques/T1176/002/
  - https://df00tech.com/detections/T1176.002
author: df00tech
date: 2026/04/18
tags:
  - attack.t1176.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Developers using VSCode Remote Tunnels legitimately for authorized remote development — tunnel usage should be validated against IT-approved remote development policy
  - Security researchers or penetration testers testing IDE extensions in authorized lab environments
  - Extension developers side-loading their own .vsix files during local development and testing cycles
  - "Build pipelines that invoke cmd.exe or powershell.exe as part of IDE task runners (e.g., VSCode tasks.json running build scripts) — these will have predictable, repeatable command lines"
  - "IDE extensions for Docker, Kubernetes, or cloud providers that legitimately connect to external management APIs on non-standard ports"
level: high