.. /VSCode Server

Star

Paths:

• Installed Visual Studio Code - Custom Path.
• Visual Studio Code added into the PATH variable.

Resources:

• https://cydefops.com/vscode-data-exfiltration

Acknowledgements:

• Kamran Saifullah (@deFr0ggy)

Detections:

• Domain: https://vscode.dev/tunnel/*
• Domain: https://*.tunnels.api.visualstudio.com/
• Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/net_connection_win_domain_devtunnels.yml
• Command: Execution of the binary with arguments.

Exfiltration

1. Generating Visual Studio Code Server Tunnels via installed VSCode built in Tunneling functionality.

   code.exe tunnels

   Use case

   Generating Visual Studio Code Server Tunnels for exposing local dev environemnt over the internet.

   Privileges required

   User

   Operating systems

   Windows, Mac, Linux

Access

1. Insider threat, external threat actor will be accessing the link in the web browser providing access to the `vscode.dev\tunnels\*` proxying the local development environment.

   Accessing generated Visual Studio Code Server Tunnels URL.

   Use case

   Accessing local files on VSCode Cloud for Data Exfiltration.

   Privileges required

   User

   Operating systems

   Windows, Mac, Linux

Shell Access

1. Insider threat, external threat actor will be able to run commands on local system proxying via Miscrofot domains using the built-in VSCode Server Terminal.

   Shell Access via Visual Studio Code Server Tunnels.

   Use case

   Accessing & Deleting files, executing payloads, downloading payloads, running malware/ransomware etc.

   Privileges required

   User

   Operating systems

   Windows, Mac, Linux