title: IDE Tunneling (T1219.001)
id: df00tech-t1219-001
status: experimental
description: "Adversaries may abuse Integrated Development Environment (IDE) software with remote development features to establish an interactive command and control channel on target systems within a network. IDE tunneling combines SSH, port forwarding, file sharing, and debugging into a single secure connection, letting developers work on remote systems as if they were local. Unlike SSH and port forwarding, IDE tunneling encapsulates an entire session and may use proprietary tunneling protocols alongside SSH, allowing adversaries to blend in with legitimate development workflows. Some IDEs, like Visual Studio Code, provide CLI tools (e.g., code tunnel) that adversaries may use to programmatically establish tunnels and generate web-accessible URLs for remote access. These tunnels can be authenticated through accounts such as GitHub, enabling the adversary to control the compromised system via a legitimate developer portal."
references:
  - https://attack.mitre.org/techniques/T1219/001/
  - https://df00tech.com/detections/T1219.001
author: df00tech
date: 2026/04/13
tags:
  - attack.t1219.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Software developers using VS Code Remote Development extension to work on remote servers or containers as part of normal development workflows
  - "DevOps engineers using JetBrains Gateway to connect to remote build servers or cloud development environments (GitHub Codespaces, Gitpod)"
  - CI/CD pipeline agents that invoke VS Code CLI or DevTunnel for automated testing or deployment tasks
  - IT administrators using VS Code tunnel to remotely troubleshoot servers from their workstations
level: high