.. /Dev Tunnels

Star

Paths:

• Downloaded version of Dev Tunnels, which gets executed anywhere on the system.

Resources:

• https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/get-started?tabs=windows
• https://www.youtube.com/watch?v=jNgFmAY20wY

Acknowledgements:

• Ergo Proxy (@_erg0sum)
• Brian Almond (@BriPwn)

Detections:

• Domain: *.devtunnels.ms
• Domain: *.data.rel.tunnels.api.visualstudio.com
• Domain: *.rel.tunnels.api.visualstudio.com
• Domain: *.global.rel.tunnels.api.visualstudio.com
• Command: Execution of the binary and/or with arguments.

Access

1. This will generate a dev tunnel binding it to the local service running on the provided port. Can be used to expose local services, web applications and local files etc.

   devtunnel host -p 3389

   Use case

   Exposing local services, ports, web applications etc. over the internet.

   Privileges required

   User

   Operating systems

   Windows, Mac, Linux

Phishing

1. By simply hosting a phishing website locally, it is possible to expose it via a Microsoft Domain.

   devtunnel echo http -p 8080

   Use case

   Hosting malicious binaries/payloads locally and exposing them via Dev Tunnel URLs.

   Privileges required

   User

   Operating systems

   Windows, Mac, Linux