.. /VSCode GUI

Star

Paths:

• Downloaded version of Visual Studio Code, which gets executed anywhere on the system.

Resources:

• https://valhalla.nextron-systems.com/info/sigma-rule/9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4

Acknowledgements:

• Kamran Saifullah (@deFr0ggy)

Detections:

• Domain: *.devtunnels.ms*
• Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/net_connection_win_domain_devtunnels.yml

Access

1. This will generate a microsoft tunnel link proxying the traffic to the local binded port.

   CTRL + SHIFT + P, Searching for Forward a port. Click on forward the port and provide a local port which is required to be exposed over the internet.

   Use case

   Exposing internal application on Microsoft Tunnels over the internet.

   Privileges required

   User

   Operating systems

   Windows, Mac, Linux

Exfiltration

1. Insider threat, external threat actor will be able to expose the local system over the internet and exfiltrate the sensitive files.

   CTRL + SHIFT + P, Searching for Foreward a port, Click on forward the port and provide a local port on which a local server is running. An example, 'python -m http.server 8080'.

   Use case

   Accessing & exfiltrating the local files on VSCode Cloud for Data Exfiltration.

   Privileges required

   User

   Operating systems

   Windows, Mac, Linux

Download

1. Threat actors can host malicious binaries/payloads locally and can use Microsoft Tunnels domains to download them onto the victim machine.

   CTRL + SHIFT + P, Searching for Foreward a port, Click on forward the port and provide a local port on which a local server is running. An example, 'python -m http.server 8080'.

   Use case

   Downloading malicious binaries/payloads on victim system by hosting them locally.

   Privileges required

   User

   Operating systems

   Windows, Mac, Linux