Tag: microsoft

Detecting Abuse of VSCode Remote Tunnels

In my previous post, we took a look at Microsoft Dev Tunnels, how they’re abused by threat actors, and how you can detect they’re usage. In this post we’ll take a look at Microsoft VSCode Remote Tunnels. A different implementation of a similar a capability, which is harder to detect for Blue Teams.

What are Remote Tunnels

Remote Tunnels is a feature built into Microsoft VSCode. One of the most popular IDEs for developers in use today.

The feature allows you to expose your coding environment, externally. Take the following scenario as an example;

You’re a developer, working on a new web application, on your corporate provided laptop. VSCode is your IDE of choice.

You decide to visit family abroad, but the country you’re traveling to isn’t a location that your organisation approves remote work from. You want to work on your web application from the remote country, but can’t take your corporate device with you.

Enter remote tunnels, with this capability, you can expose your coding environment, to any device. You can also share the environment you’re working on with colleagues, so you can all work on the code base together.

How it Works

You have your code base on your corporate laptop, you simply enable Remote Tunnels in VSCode. This then provides you with a URL. You paste that URL into a web browser, authenticate with the Microsoft or GitHub account you created the tunnel with, and you have access to the local directory the repo is hosted on. You can also provision access to the tunnel to colleagues as well, allowing them to connect to your device.

How it’s Being Abused

In recent months the abuse of VSCode remote tunnels has increased, with multiple threat actors utilising the tool in their campaigns. Typically, a malicious script or LNK file is delivered to a user, where the presence of VSCode is checked. If it’s not, the CLI Version of the tool is installed, and a tunnel is setup.

Example Campaign

Let’s mimic an example campaign to highlight how VSCode tunnels are being abused by Threat Actors. We’re going to use a campaign ran by the threat actor Mustang Panda (aka Stately Taurus) as inspiration.

Our attack path is going to look like a below;

Infection chain for remote tunnels

Some more details on the attack chain;

  1. Deliver of a malicious LNK File, update.py.
  2. LNK file contains PowerShell command to download and run a python script from a remote IP address.
  3. Python script downloads and runs VSCode CLI binary, called code-insiders.exe
    • We’re using the CLI version of VSCode, I used the insiders version. This is just a beta version of VSCode. The non-beta version can be download from here.
  4. Python script creates and authenticates a VSCode tunnel, using the CLI binary against Github.
    • As was the case with Dev Tunnels, you authenticate your VSCode tunnel against either a Microsoft or Github account. Github allows for device code authentication, making it perfect for usage in a script. More on that later
  5. VSCode remote tunnel is established.
  6. Threat actor performs command execution of python payload, via the tunnel established from a web browser

Attacker Telemetry

We’ll walk through what the attack chain looks like, both in our logging and from our attackers perspective. As always, I’m using Elastic, and their endpoint agent for my lab.

LNK File Execution

Below shows the LNK file execution. Nothing fancy, it contains a simple PowerShell one liner that downloads a Python script from my web server, and executes the script.

PowerShell command to download and run python
Python Script Execution

The Python Script downloads the CLI binary for the Code Insiders version of VSCode. It then creates a tunnel, and generates an authentication link.

VSCode remote tunnel setup script
Important Flags and Authentication

In the snippet from my Python Script that sets up the tunnel below, we can see we’re parsing the flags tunnel and --accept-server-license-terms both of these flags are required establishing a tunnel. They can be used for in a detection opportunity, but more on that later.

def setup_remote_tunnel(vscode_cli_path, timeout=60):
    """Set up a VSCode Remote Tunnel."""
    print("Setting up VSCode Remote Tunnel...")

    process = subprocess.Popen(
        [vscode_cli_path, "tunnel", "--accept-server-license-terms"],
        stdout=subprocess.PIPE,
        stderr=subprocess.PIPE,
        stdin=subprocess.PIPE,  # Redirect stdin to provide input
        text=True

You may also note that we’ve not parsed any flags to force GitHub device authentication. This is because the CLI versions of VSCode use this method of authentication by default.

All we need to do is capture the code, and we can send it back to ourselves via POSTing it to our web server.

Connecting to the tunnel

An attacker needs to take the GitHub device code for authentication generated by the Code CLI, and enter at the below URL. This will need to be done while being authenticated to GitHub with their account.

https://github.com/login/device

We then enter our device code, that was captured by our Python Script, and generated by the VSCode CLI.

Github authentication for VSCode remote tunnels

The attacker then needs to authorise the tunnel associated and connected with their account. Which I’m sure they’ll have no issue doing 😉

GitHub device authentication for VScode remote tunnels

Now they need to access VSCode in their browser. If they’re using the standard version of VSCode, then the domain accessed will be vscode.dev.

However, as I’m using the Code Insiders version, the domain I’ll be hitting will instead be insiders.vscode.dev

We then hit the connect to tunnel button, and authenticate to VSCode with out attackers GitHub account.

VSCode remote tunnels connection

Once authenticated to our account, we should see a list of remote hosts that have a tunnel running, which we can connect to.

Remote tunnel host

And selecting our online victim host will establish a connection to the VSCode remote tunnel running on that host.

Remote tunnel host

We can now traverse directories on our victims remote host.

Directory traversal VSCode remote tunnel

And even worse, we can create new files/scripts, and execute them remotely.

Below shows a simple Python script to collect some host information from our victims host. We were able to create this script, and run it remotely all through our browser session, connected to our victims host via a tunnel.

Script execution VSCode remote tunnels
Script output

And the information collected by the script, we had it write to a txt file on our Victims host.

Script log

Attacker Conclusion

Summing up this section, the VSCode remote tunnels feature is extremely powerful and gives the ability to perform full remote code execution. The scariest element, is that we were able to do all this via a simple LNK file delivered to the user. With this in mind, let us look at how we can detect what our attacker has done.

Detecting VSCode Remote Tunnels

We’re going to break down the different elements of the attacker chain into their own hunts and detections.

PowerShell Execution

Firstly, we’ll look at the execution of the LNK file execution one liner to download and run our Python Script. Some EDRs are able to capture the LNK file name in the child process execution event, but it seems Elastic does not 😦.

I looked for cases where explorer is the parent of PowerShell, as this would be the typical relationship when a LNK file is used to launch a PowerShell script.

We can further filter down by looking for certain PowerShell arguments, including Invoke-WebRequest, OutFile and python.

Below is a fairly disgusting KQL query to match on this.

process.parent.name: explorer.exe and process.name : "powershell.exe" and process.args : *Invoke-WebRequest* and process.args : *OutFile* and process.args : *python*

I prefer to use regex and Elasticsearch DSL instead, below is the query to use that method instead.

{
  "query": {
    "bool": {
      "must": [
        { "term": { "host.os.type": "windows" } },
        { "term": { "event.type": "start" } },
        { "term": { "process.name": "powershell.exe" } },
        { "wildcard": { "process.parent.executable": "*explorer.exe" } },
        {
          "regexp": {
            "process.args": ".*(Invoke-WebRequest.*OutFile.*python|Invoke-WebRequest.*python.*OutFile|OutFile.*Invoke-WebRequest.*python|OutFile.*python.*Invoke-WebRequest|python.*Invoke-WebRequest.*OutFile|python.*OutFile.*Invoke-WebRequest).*"
          }
        }
      ]
    }
  }
}

This should show results where PowerShell is reaching out to a remote location, where a file is downloaded, and python is invoked to execute a script.

VSCode Tunnel Setup

Looking for code.exe or code-insiders.exe being written to disk would be pointless. A half decent attacker will rename the binaries, and furthermore, will have them downloaded from their own infrastructure.

Therefore, we must focus on the behaviours the attacker can not change. Firstly, the --accept-server-license-terms flag parsed to the CLI Code Binary.

 process.args: *--accept-server-license-terms* 

Focusing on the flag in the process arguments/command line gives us a few interesting results.

process.parent.executable: C:\Windows\System32\cmd.exe
process.parent.command_line: "cmd" /Q /C C:\Users\paul\.vscode-insiders\cli\servers\Insiders-89f808979a5151bd91324e65d4f7ab1b62896983\server\bin\code-server-insiders.cmd --connection-token=REDACTED --accept-server-license-terms --start-server --enable-remote-auto-shutdown --socket-path=\\.\pipe\code-insiders-1aabdd67-c31d-4f2a-8983-018f3d4e74e6
process.command_line: "C:\Users\paul\.vscode-insiders\cli\servers\Insiders-89f808979a5151bd91324e65d4f7ab1b62896983\server\bin\..\node.exe"   "C:\Users\paul\.vscode-insiders\cli\servers\Insiders-89f808979a5151bd91324e65d4f7ab1b62896983\server\bin\..\out\server-main.js"  --connection-token REDACTED --accept-server-license-terms --start-server --enable-remote-auto-shutdown --socket-path \\.\pipe\code-insiders-1aabdd67-c31d-4f2a-8983-018f3d4e74e6
process.executable: C:\Users\paul\.vscode-insiders\cli\servers\Insiders-89f808979a5151bd91324e65d4f7ab1b62896983\server\node.exe


In the above we can see one set of results, where a new .vscode directory has been created,

.vscode-insiders\cli\servers\Insiders-89f808979a5151bd91324e65d4f7ab1b62896983\server\bin..\

We can see the below flags have been parsed to a node.exe binary, running the JS file, server-main.js:

--connection-token REDACTED
--accept-server-license-terms
--start-server
--enable-remote-auto-shutdown
--socket-path \.\pipe\code-insiders-1aabdd67-c31d-4f2a-8983-018f3d4e74e6

We can also see part of the process tree, where code-insiders has spawned cmd.exe, to spawn node.exe to run the server-main.js.

VSCode remote tunnel detection tree

Using these process relationships, and command line arguments can provide detection and hunt opportunities.

Script Execution

Next, we’ll take a look at our Python Enumeration Script execution, that the TA ran from their web browser on our victims host. Below is an example screenshot of the activity.

VSCode remote tunnel events SIEM

And here we have the command line for the parent process, that launches Python. Our TA used a PowerShell terminal, within VSCode to run our Python Script.

[C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe, -noexit, -command, try { . "c:\Users\paul\.vscode-insiders\cli\servers\Insiders-89f808979a5151bd91324e65d4f7ab1b62896983\server\out\vs\workbench\contrib\terminal\common\scripts\shellIntegration.ps1" } catch {}]

The interesting elements from the parent command line, are the path , and the shellIntergation.ps1 script. This script is what provides a PowerShell interface within VSCode.

We can find activity like this in the future with a query like the below. However, bare in mind, the interpreter or terminal the TA uses from within the VSCode session could be something different.

process.parent.name: powershell.exe and process.name.caseless : python.exe and process.parent.command_line.caseless : *shellIntegration.ps1*  and process.parent.command_line.caseless: *cli\\servers*

Network Connections

The main domain used by VSCode tunnels is:  

global.rel.tunnels.api.visualstudio.com

Blocking this domain in your organisation should block the usage of the tunnels.

Other domains used as part of VSCode tunnels include:

URL/DomainDescription
https://code.visualstudio.com/sha/download?build=stable&os=cli-alpine-x64VSCode CLI Download Domain
https://code.visualstudio.com/sha/download?build=insider&os=cli-win32-x64Code Insiders CLI Download
vscode.devDomain for VSCode browser session
insiders.vscode.devDomain for Code Insiders browser session.

Forensics/Logging

If the target user already has the full VSCode application installed, and a remote tunnel is established, there’s a useful state table you can load into SQLite Browser.

Located in the below locations

  • Windows: C:\Users\*\AppData\Roaming\Code\User\globalStorage\state.vscdb
  • Mac OS: /Library/Application Support/Code/User/globalStorage/state.vscdb
  • Linux: /.config/code/User/globalStorage/state.vscdb

This table give some useful information about the tunnel sessions, included mode of authentication, the account used to authenticate, and timestamps of tunnel sessions.

remoteTunnelServicePromptedPreview	true
remoteTunnelHasUsed	true
remoteTunnelSession	{"providerId":"github","sessionId":"f69cea964f86159","accountLabel":"REDACTED"}
remoteTunnelServiceUsed	{"hostName":"home-pc2","timeStamp":1736796256912}
remoteTunnelIsService	false

One of the fields in the logs remoteTunnelIsService: False, this indicates whether the Remote Tunnel was configured to run as a service. When this is done, it means a tunnel is setup anytime the host is brought online. This therefore, can provide a means of persistent access to an attacker.

This can be done but parsing the service flag on the tunnel install.

code tunnel service install

An example of this with the full tunnel setup can be seen below.

code-tunnel.exe tunnel service install --accept-server-license-terms --log info --name Home-PC

CLI Logging

CLI versions of VSCode do have some logging as well, however they are not as useful as the state table. Regardless, they might be worth a look. They are typically located in:

C:\Users\*\.vscode-server\data\logs

C:\Users\*\.vscode\cli\servers

Mitigations

There are some Group Policy settings which allow restrictions to be implemented on VSCode Remote Tunnels, as well as Dev Tunnels.

Disable anonymous tunnel access: Disallow anonymous tunnel access. This means users cannot connect to an existing tunnel with anonymous access control, host an existing tunnel with anonymous access control, or add anonymous access to existing or new tunnels.

Disable Dev Tunnels: Disallow users from using the Dev Tunnels service. All commands, with few exceptions, should be denied access when this policy is enabled. Exceptions: unset, echo, ping, and user.

Allow only selected Microsoft Entra tenant IDs: Users must authenticate within the given tenant list to access Dev Tunnels.

A template for these settings is available here.

Closing Out

The content covered shows how easy it is for a threat actor to utilise VSCode remote tunnels into their campaigns. Organisations should look to enforce authentication to remote tunnels against their own tenants only.

In cases where this is not possible, tunnel usage should be blocked from the estate, or detections should be implemented on their abuse. Threat Actors are increasingly using these tunnels in their campaigns.

Microsoft Dev Tunnels: Tunnelling C2 and More

Attackers are always looking for ways to blend into an environment, to establish a C2 channel undetected. Utilising legitimate tooling for their malicious activities is a common way that they achieve this.

From a defender’s standpoint, spotting activity that’s meant to blend in can be quite challenging. A SOC team, especially one experiencing alert fatigue, might often resort to checking a domain or hash on VirusTotal. If it’s a known domain or hash, particularly one signed or trusted by Microsoft, they might quickly label it as a false positive and move on.

Microsoft Dev Tunnels

Dev Tunnels allow developers to expose services running locally to remote hosts, across the internet and tunneled through Microsoft infrastructure. For example, let’s say I have a simple webserver running on my PC, I want a colleague to be able to test the web page I’ve created. I can use a Dev Tunnel to expose port 443 on my host. A Microsoft Dev Tunnel domain is generated *.devtunnels.ms, I provide the URL to my colleague, and they can access the web service on my local host, via the Microsoft URL.

I can expose any service via the Dev Tunnels, including RDP and SSH. With the ability to tunnel traffic using Microsoft domains, you can imagine why this would be an attractive concept to attackers.

There have been increased reports of threat actors utilising Microsoft Dev Tunnels and other legitimate remote tools in their campaigns. So, let’s walk through the different ways Dev Tunnels can be abused by attackers.

Scenario One: Using for C2

Firstly, using Dev Tunnels for C2. Take the diagram below as an example. A victim PC has executed a payload, and the C2 beacon is configured to connect to a Microsoft Dev Tunnels domain.

In most environments, the domain will pass through any proxy or firewall, due to the domain belonging to Microsoft. The traffic is then forwarded by Microsoft to the attacker’s machine.

Dev Tunnel Diagram

Creating a tunnel

Meanwhile, if we look at the attacker’s perspective, all they need to do is install the dev tunnel binary, which is available on Mac, Linux, and Windows.

Some key details on establishing a tunnel below:

  • Authentication: To create a tunnel, you need to authenticate to either a personal GitHub or Microsoft Account. Obviously setting up an account with either is trivial.
  • Anonymous Access: You can configure a tunnel to allow anonymous access, allowing anyone to connect to your tunnel.
  • Tunnel ID: Following the creation of a tunnel, a tunnel ID is generated, this is used to connect two endpoints together through a tunnel.

The highlighted URL below is what we will use for our C2 beacon.

Dev Tunnel C2 URL

Establishing C2

The process for utilising a Dev Tunnel domain for C2 traffic will be similar across different C2 frameworks. Below is an example of creating a listener in Cobalt Strike.

  1. Select Beacon Type, usually HTTPS.
  2. Define the HTTPS host to listen on, in this case, it would be our tunnel domain, 8kl69l904-443.uks1.devtunnels.ms
  3. Define the HTTPS host (stager), the IP of your team server.
  4. Select HTTPS Port, 443.
Dev Tunnel Cobalt Strike

Example Event

In the event shown below, we can see connections to our tunnel domain, from our beacon process. The beacon process is a fake OneDrive binary, which has a forged Microsoft certificate.

@timestampdns.question.nameprocess.code_signature.subject_nameprocess.nameuser.nameprocess.code_signature.trusted
Sep 1, 2024 @ 11:44:50.1698kl6l904-443.uks1.devtunnels.mswww.microsoft.comOneDrive.exepaulfalse
Sep 1, 2024 @ 11:44:50.1488kl6l904-443.uks1.devtunnels.mswww.microsoft.comOneDrive.exepaulfalse
Aug 31, 2024 @ 23:00:18.6698kl6l904-443.uks1.devtunnels.mswww.microsoft.comOneDrive.exepaulfalse
Aug 31, 2024 @ 23:00:18.6498kl6l904-443.uks1.devtunnels.mswww.microsoft.comOneDrive.exepaulfalse
We’ve giving our payload a fake certificate, it’s signed, but not trusted.
Cobalt Strike Signed Binary
Elastic EDR Dev Tunnel Tree

Detecting Dev Tunnel C2

Detecting the usage of Dev Tunnels for C2 is challenging, as the Dev Tunnels binary does not need to be present on the target host. In cases where EDR or endpoint controls fail to detect the initial payload, detecting on network-based telemetry would be challenging. As expected, the TLS connections have a valid certificate as they are after all legitimate Microsoft domains.

Dev Tunnel Domain Signed

We can look to identifying C2 traffic by looking for constant connections to the Dev Tunnel domains over sustained periods. C2 traffic

Dev Tunnel C2 Detect

Below is the query used in TimeLion to generate the above:

.es(
  index='.ds-logs-network_traffic*',
  q='destination.domain: *.uks1.devtunnels.ms',
  timefield='@timestamp',
  metric='count'
).bars(),
.es(
  index='.ds-logs-network_traffic*',
  q='destination.domain: *.uks1.devtunnels.ms',
  timefield='@timestamp',
  metric='cardinality:destination.domain'
).lines(width=2, stack=false).label("Unique Domains")

We can also use a more generic C2 detections methods, looking for high volume connections to single domains. The below shows count of connections to single domains over a 24 hour period. We can see clear outliers to our Dev Tunnel C2 domains, where constant connections are made.

Dev Tunnel C2 Detect

Network with Endpoint Telemetry

Many EDR products now are able to join domain requests with the process responsible for making the request. You can also usually enrich the binary with certificate information, looking for connections to dev tunnel domains from a non-signed or untrusted certificate can also be a method of detection.

dns.question.name : *.uks1.devtunnels.ms and process.code_signature.trusted<br>: false  

This however will not help for payloads running from a trusted source. For example sideloading or injecting a payload into a trusted process like Outlook will be more difficult to detect.

As shown below, loading a secondary payload into Outlook, shows C2 to a trusted Microsoft Domain from a trusted Microsoft Process.

Dev Tunnels C2 from trusted Process

In these cases, anomaly C2 on the Dev Tunnel domains would be required. With analysts paying focus to the surrounding and contextual activity, like looking for unusual loads or injections into the process making the requests.


Using for Persistent Access

Dev Tunnels can be used for more than just C2. As we said before, any port can be exposed for remote usage. Therefore, RDP and SSH are good candidates, allowing a threat actor to establish persistent remote access.

Ideally, we would want a scripted method of establishing and maintaining remote access via Dev Tunnels.

I created a simple PowerShell Script that does the following on a victim host.

  • Downloads a copy of Dev Tunnels and places it in a Windows Start-Up Location.
    • Download from: https://aka.ms/TunnelsCliDownload/win-x64
    • Place in: C:\Users\paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
  • Authenticates the Dev Tunnel process to an account.
    • More on this further down.
  • Sets up a tunnel, exposing port 3389 to allow for anonymous access.

Github Device Authentication

When first using Dev Tunnels on a device, you must authenticate. To do this in a scripted manner, we can use GitHub Device authentication:

devtunnel user login -g -d
Login with a GitHub account with device code login, if local interactive browser login isn’t possible

When this command is run, a device login code is written to the terminal. Using our PowerShell script, we can capture this code by writing it to a .txt file. We can then pull the string from the file, and send it to ourselves.

Dev Tunnel Script

We can use interactsh to receive the login code, but sending a POST request to our OAST domain from the PowerShell Script.

Dev Tunnel Git Login Code

We can then use the device code to authenticate to a our attacker GitHub account, via https://github.com/login/device

Dev Tunnel Git Auth

Establishing Tunnel

Now that we’ve authenticated, our PowerShell script can continue, by setting up a tunnel.

This is as easy as running a command like the one below. Port 3389 is being exposed and allows for anonymous login.

.\devtunnel.exe host -p 3389 -allow-anonymous

Dev Tunnel Setup via Script

Now that the tunnel is setup, we can authenticate to the same GitHub account from our attacker machine.

We can list out tunnels that are running within our account, and connect to the tunnel exposing RDP on our victim device by specifying the tunnel ID.

Dev Tunnel RDP

In order to connect via RDP we need to authenticate to a user on the device. If we do not already have a compromised user, we can brute force RDP via the tunnel.

Traffic is forwarded from local host, through the tunnel, to our victim host on port 3389. Therefor, to brute force, we specify local host as our target, and we’re able to brute force RDP on our victim host.

Dev Tunnel RDP Brute Force

Once we have an account to utilise, we can use a RDP client to connect. Again specifying the local host address as the the remote host, and authenticating with our compromised user.

Dev Tunnel RDP Connect
Dev Tunnel RDP Connect

This means you could in theory expose a host remotely, via a single PowerShell script, making it a candidate in phishing. This can be a method of bypassing RDP restrictions on a network, exposing internal hosts, remotely.

Detections

I’m using Elastic SIEM and Endpoint agent to collect telemetry and build custom detections.

Dev Tunnel Binary Execution Detection

In circumstances where an attacker has brought the Dev Tunnel binary onto disk, you could catch them with a simple:

Process.Name:devtunnel.exe OR File.Name:devtunnel.exe

But any decent operator is going to rename the process to something else.

You could look for the initial download, via PowerShell or WinGet

CommandLine= "*winget install Microsoft.devtunnel*"
OR 
URL= "*https://aka.ms/TunnelsCliDownload/win-x64*"

But again, these are easy to bypass, and an attacker will likely bring the tool down from their own infrastructure.

A more robust way of detection is took look for a certain DLL that the tunnel requires for operation. Looking at module load events and there’s a variety of DLLs loaded by the devtunnel.exe, but one sticks out as an easy detection, devtunnel.dll.

event.action: "load" and dll.name: "devtunnel.dll"

The DLL is loaded from a temp .net directory that is created on execution. This is a behaviour that an attacker would not be able to manipulate.

Tunnelling RDP Detection

You’ll notice the source IP in the logs for this activity is displayed as ::1, this is the loopback address for the host, or 127.0.0.1. As we are forwarding traffic from local host on our attacker machine from our victim machine, this is the address that is displayed.

Dev Tunnel RDP

Interestingly the logon type is captured as type 3, rather than type 10. The below query will show both successful and failed logons originating from a loopback address. Putting this into a detect would likely generate a lot of noise and FPs.

event.provider: "Microsoft-Windows-Security-Auditing" and event.code: 4625 or event.code : 4624 and (source.ip : "::1" or source.ip : 127.0.0.1)

Instead we can use a threshold detection to attempt to detect suspected brute forcing, from a loopback address.

Dev Tunnel RDP Brute Force Detect
Dev Tunnel RDP Brute Force Detect
Dev Tunnel RDP Brute Force Detect

Incident Response Triage & Logging

Unfortunately there is very little in the way of logging for Dev Tunnels. Unlike Microsoft VSCode Remote tunnels, which is a different implementation of the same underlying tunnel features, (more on how they can be abused another time), there is no dedicated logging for tunnel usage.

If you’re responding to an incident that involves the use of Dev Tunnels, and you do not have host or network telemetry, then your best option is to dump the Dev Tunnel process. We can get all the key information from the process dump.

Dev Tunnel URL from Memory
Dev Tunnel ID from Memory

Including the username the tunnel authenticated with.

Dev Tunnel username from Memory

Closing Thoughts

As shown, Dev Tunnels provide powerful capabilities that can be (and are) abused by Threat Actors, to make detection by Blue Teams more difficult. The best option is to outright block tunnel usage in the estate, this can be achieved by blocking the Dev Tunnel Domains listed below.

IOCs

File Hashes

FileNameSHA256
Devtunnel.execb2d8470a77930221f23415a57bc5d6901b89de6c091a3cfbc563e4bf0e7b4eb
devtunnel.dllc0513783d569051bdc230587729b1da881f7032c2ad6e8fedbbdcc61d813da25

Domains

DescriptionDomain
Dev Tunnel Domainglobal.rel.tunnels.api.visualstudio.com
Dev Tunnel Domain*.rel.tunnels.api.visualstudio.com
Dev Tunnel Domain*-data.rel.tunnels.api.visualstudio.com
Dev Tunnel Domain*.devtunnels.ms
GitHub Device Auth URL https://github.com/login/device
Tunnel Install URL https://aka.ms/TunnelsCliDownload/win-x64

Copyright © 2025 On The Hunt

Theme by Anders NorenUp ↑