Detection of the creation of VSCode or JetBrains CLI tunneling profiles followed by persistent remote access via IDE-integrated tunnels, potentially authenticated via GitHub or JetBrains accounts.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Network Connection Creation (DC0082) | NSM:Flow | Outbound connection to *.tunnels.api.visualstudio.com or *.devtunnels.ms |
| Field | Description |
|---|---|
| TimeWindow | Used to define the temporal proximity between tunnel profile creation and outbound connection. |
| TunnelDomainPatterns | Domain patterns for tunnel endpoints may change with IDE versions or organizations. |
| AuthorizedUserList | Helps filter tunnel usage from trusted developer accounts. |
Creation of VSCode tunnel configuration file combined with interactive remote session via code CLI or ssh with JetBrains gateway.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve on code or jetbrains-gateway with remote flags |
| File Creation (DC0039) | auditd:SYSCALL | open: Write to ~/.vscode-cli/code_tunnel.json |
| Network Connection Creation (DC0082) | NSM:Flow | Connections to *.devtunnels.ms or tunnels.api.visualstudio.com |
| Field | Description |
|---|---|
| PathRegex | Regex patterns for user home directory file paths may vary by distro or user. |
| TunnelCLIFlags | Tunnel flags used by CLI tools can be customized or obfuscated by adversaries. |
| Username | The Linux user account associated with tunnel initiation; may vary across developer environments |
| TunnelArtifactPath | The filepath to the .vscode-cli/code_tunnel.json file may vary by distribution or IDE version |
| CommandLineFlags | Different IDEs or wrapper scripts may launch with different tunnel-related CLI options (e.g., --remote, --host) |
Detection of JetBrains or VSCode tunnel profile creation followed by unusual persistent SSH or IDE-based tunnel communications to devtunnel APIs.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | process: code or jetbrains-gateway launching with --tunnel or --remote |
| File Creation (DC0039) | macos:unifiedlog | creation of ~/.vscode-cli/code_tunnel.json |
| Network Connection Creation (DC0082) | NSM:Flow | HTTPs connection to tunnels.api.visualstudio.com |
| Field | Description |
|---|---|
| ParentProcessName | Helps scope tunnel launch context to non-interactive or suspicious parent processes. |
| RemoteTunnelPersistence | Allows tracking of tunnel re-establishment across reboots for persistence. |
| RemoteFlag | May include values like --remote, -R, or embedded ssh arguments passed by IDEs |
| LaunchAgentPath | If the IDE uses persistence via LaunchAgents, defenders may choose where to monitor for tunnel auto-launching |
| TunnelReconnectInterval | Frequency of retry attempts for tunnel reconnection can affect correlation window |