Merge PR #4463 from @citronninja - Add New Rules Related to VsCode Tu…

…nnel Usage & Abuse

new: VsCode Code Tunnel Execution File Indicator
new: DNS Query To Devtunnels And VsCode Tunnels
new: Visual Studio Code Tunnel Remote File Creation
new: Renamed VsCode Code Tunnel Execution - File Indicator
new: Visual Studio Code Tunnel Execution
new: Visual Studio Code Tunnel Shell Execution
new: Renamed Visual Studio Code Tunnel Execution
new: Visual Studio Code Tunnel Service Installation
update: Potentially Suspicious Child Process Of VsCode

---------

Co-authored-by: Kylian ALAZARD <[email protected]>
Co-authored-by: frack113 <[email protected]>
Co-authored-by: nasbench <[email protected]>

rules-threat-hunting/windows/file/file_event/file_event_win_vscode_tunnel_indicators.yml

@@ -0,0 +1,23 @@
+title: VsCode Code Tunnel Execution File Indicator
+id: 9661ec9d-4439-4a7a-abed-d9be4ca43b6d
+status: experimental
+description: |
+    Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility. Attackers can abuse this functionality to establish a C2 channel
+references:
+    - https://ipfyx.fr/post/visual-studio-code-tunnel/
+    - https://badoption.eu/blog/2023/01/31/code_c2.html
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/10/25
+tags:
+    - attack.command_and_control
+    - detection.threat_hunting
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        TargetFilename|endswith: '\code_tunnel.json'
+    condition: selection
+falsepositives:
+    - Legitimate usage of VsCode tunneling functionality will also trigger this
+level: medium

rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml

@@ -0,0 +1,27 @@
+title: DNS Query To Devtunnels And VsCode Tunnels
+id: b3e6418f-7c7a-4fad-993a-93b65027a9f1
+status: experimental
+description: |
+    Detects DNS query to Devtunnels and Visual Studio Code tunnel domains. Attackers can be abuse these features to establish a reverse shell.
+references:
+    - https://ipfyx.fr/post/visual-studio-code-tunnel/
+    - https://badoption.eu/blog/2023/01/31/code_c2.html
+    - https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2
+    - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security
+author: citron_ninja
+date: 2023/10/25
+tags:
+    - attack.command_and_control
+    - attack.t1071.001
+logsource:
+    category: dns_query
+    product: windows
+detection:
+    selection:
+        QueryName|endswith:
+            - '.tunnels.api.visualstudio.com'
+            - '.devtunnels.ms'
+    condition: selection
+falsepositives:
+    - Legitimate use of Visual Studio Code tunnel will also trigger this
+level: medium

rules/windows/file/file_event/file_event_win_vscode_tunnel_remote_creation_artefacts.yml

@@ -0,0 +1,23 @@
+title: Visual Studio Code Tunnel Remote File Creation
+id: 56e05d41-ce99-4ecd-912d-93f019ee0b71
+status: experimental
+description: |
+    Detects the creation of file by the "node.exe" process in the ".vscode-server" directory. Could be a sign of remote file creation via VsCode tunnel feature
+references:
+    - Internal Research
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/10/25
+tags:
+    - attack.command_and_control
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        Image|contains: '\servers\Stable-'
+        Image|endswith: '\server\node.exe'
+        TargetFilename|contains: '\.vscode-server\data\User\History\'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium

rules/windows/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml

@@ -0,0 +1,27 @@
+title: Renamed VsCode Code Tunnel Execution - File Indicator
+id: d102b8f5-61dc-4e68-bd83-9a3187c67377
+status: experimental
+description: |
+    Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" other than VsCode.
+references:
+    - https://ipfyx.fr/post/visual-studio-code-tunnel/
+    - https://badoption.eu/blog/2023/01/31/code_c2.html
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/10/25
+tags:
+    - attack.command_and_control
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        TargetFilename|endswith: '\code_tunnel.json'
+    filter_main_legit_name:
+        # Note: There might be other legitimate names for VsCode. Please add them if found
+        Image|endswith:
+            - '\code-tunnel.exe'
+            - '\code.exe'
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - Unknown
+level: high

rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml

@@ -1,4 +1,4 @@
-title: VsCode Child Process Anomaly
+title: Potentially Suspicious Child Process Of VsCode
 id: 5a3164f2-b373-4152-93cf-090b13c12d27
 status: experimental
 description: Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.
@@ -7,6 +7,7 @@ references:
     - https://twitter.com/nas_bench/status/1618021415852335105
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/01/26
+modified: 2023/10/25
 tags:
     - attack.execution
     - attack.defense_evasion
@@ -43,9 +44,9 @@ detection:
     selection_children_paths:
         Image|contains:
             # Add more suspicious locations
-            - 'C:\Users\Public\'
-            - 'C:\Windows\Temp\'
-            - 'C:\Temp\'
+            - ':\Users\Public\'
+            - ':\Windows\Temp\'
+            - ':\Temp\'
     condition: selection_parent and 1 of selection_children_*
 falsepositives:
     - In development environment where VsCode is used heavily. False positives may occur when developers use task to compile or execute different types of code. Remove or add processes accordingly

rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml

@@ -0,0 +1,36 @@
+title: Visual Studio Code Tunnel Execution
+id: 90d6bd71-dffb-4989-8d86-a827fedd6624
+status: experimental
+description: Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
+references:
+    - https://ipfyx.fr/post/visual-studio-code-tunnel/
+    - https://badoption.eu/blog/2023/01/31/code_c2.html
+    - https://code.visualstudio.com/docs/remote/tunnels
+author: Nasreddine Bencherchali (Nextron Systems), citron_ninja
+date: 2023/10/25
+tags:
+    - attack.command_and_control
+    - attack.t1071.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_only_tunnel:
+        OriginalFileName: null
+        CommandLine|endswith: '.exe tunnel'
+    selection_tunnel_args:
+        CommandLine|contains|all:
+            - '.exe tunnel'
+            - '--name '
+            - '--accept-server-license-terms'
+    selection_parent_tunnel:
+        ParentCommandLine|endswith: ' tunnel'
+        Image|endswith: '\cmd.exe'
+        CommandLine|contains|all:
+            - '/d /c '
+            - '\servers\Stable-'
+            - 'code-server.cmd'
+    condition: 1 of selection_*
+falsepositives:
+    - Legitimate use of Visual Studio Code tunnel
+level: medium

rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml

@@ -0,0 +1,35 @@
+title: Visual Studio Code Tunnel Shell Execution
+id: f4a623c2-4ef5-4c33-b811-0642f702c9f1
+status: experimental
+description: Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system.
+references:
+    - https://ipfyx.fr/post/visual-studio-code-tunnel/
+    - https://badoption.eu/blog/2023/01/31/code_c2.html
+    - https://code.visualstudio.com/docs/remote/tunnels
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/10/25
+tags:
+    - attack.command_and_control
+    - attack.t1071.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_parent:
+        ParentImage|contains: '\servers\Stable-'
+        ParentImage|endswith: '\server\node.exe'
+        ParentCommandLine|contains: '.vscode-server' # Technically one can host its own local server instead of using the VsCode one. And that would probably change the name (requires further research)
+    # Note: Child processes (ie: shells) can be whatever technically (with some efforts)
+    selection_child_1:
+        Image|endswith:
+            - '\powershell.exe'
+            - '\pwsh.exe'
+        CommandLine|contains: '\terminal\browser\media\shellIntegration.ps1'
+    selection_child_2:
+        Image|endswith:
+            - '\wsl.exe'
+            - '\bash.exe'
+    condition: selection_parent and 1 of selection_child_*
+falsepositives:
+    - Legitimate use of Visual Studio Code tunnel and running code from there
+level: medium

rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml

@@ -0,0 +1,50 @@
+title: Renamed Visual Studio Code Tunnel Execution
+id: 2cf29f11-e356-4f61-98c0-1bdb9393d6da
+status: experimental
+description: Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
+references:
+    - https://ipfyx.fr/post/visual-studio-code-tunnel/
+    - https://badoption.eu/blog/2023/01/31/code_c2.html
+    - https://code.visualstudio.com/docs/remote/tunnels
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/09/28
+tags:
+    - attack.command_and_control
+    - attack.t1071.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_image_only_tunnel:
+        OriginalFileName: null
+        CommandLine|endswith: '.exe tunnel'
+    selection_image_tunnel_args:
+        CommandLine|contains|all:
+            - '.exe tunnel'
+            - '--name '
+            - '--accept-server-license-terms'
+    selection_image_tunnel_service:
+        CommandLine|contains|all:
+            - 'tunnel '
+            - 'service'
+            - 'internal-run'
+            - 'tunnel-service.log'
+    selection_parent_tunnel:
+        ParentCommandLine|endswith: ' tunnel'
+        Image|endswith: '\cmd.exe'
+        CommandLine|contains|all:
+            - '/d /c '
+            - '\servers\Stable-'
+            - 'code-server.cmd'
+    filter_main_parent_code:
+        ParentImage|endswith:
+            - '\code-tunnel.exe'
+            - '\code.exe'
+    filter_main_image_code:
+        Image|endswith:
+            - '\code-tunnel.exe'
+            - '\code.exe'
+    condition: (1 of selection_image_* and not 1 of filter_main_image_*) or (1 of selection_parent_* and not 1 of filter_main_parent_*)
+falsepositives:
+    - Unknown
+level: high

rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml

@@ -0,0 +1,27 @@
+title: Visual Studio Code Tunnel Service Installation
+id: 30bf1789-379d-4fdc-900f-55cd0a90a801
+status: experimental
+description: Detects the installation of VsCode tunnel (code-tunnel) as a service.
+references:
+    - https://ipfyx.fr/post/visual-studio-code-tunnel/
+    - https://badoption.eu/blog/2023/01/31/code_c2.html
+    - https://code.visualstudio.com/docs/remote/tunnels
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/10/25
+tags:
+    - attack.command_and_control
+    - attack.t1071.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains|all:
+            - 'tunnel '
+            - 'service'
+            - 'internal-run'
+            - 'tunnel-service.log'
+    condition: selection
+falsepositives:
+    - Legitimate installation of code-tunnel as a service
+level: medium