1. Home
  2. Techniques
  3. Enterprise
  4. Remote Access Tools
  5. IDE Tunneling

Remote Access Tools: IDE Tunneling

ID Name
T1219.001 IDE Tunneling
T1219.002 Remote Desktop Software
T1219.003 Remote Access Hardware

Adversaries may abuse Integrated Development Environment (IDE) software with remote development features to establish an interactive command and control channel on target systems within a network. IDE tunneling combines SSH, port forwarding, file sharing, and debugging into a single secure connection, letting developers work on remote systems as if they were local. Unlike SSH and port forwarding, IDE tunneling encapsulates an entire session and may use proprietary tunneling protocols alongside SSH, allowing adversaries to blend in with legitimate development workflows. Some IDEs, like Visual Studio Code, also provide CLI tools (e.g., code tunnel) that adversaries may use to programmatically establish tunnels and generate web-accessible URLs for remote access. These tunnels can be authenticated through accounts such as GitHub, enabling the adversary to control the compromised system via a legitimate developer portal.[1][2][3]

Additionally, adversaries may use IDE tunneling for persistence. Some IDEs, such as Visual Studio Code and JetBrains, support automatic reconnection. Adversaries may configure the IDE to auto-launch at startup, re-establishing the tunnel upon execution. Compromised developer machines may also be exploited as jump hosts to move further into the network.

IDE tunneling tools may be built-in or installed as IDE Extensions.

ID: T1219.001
Sub-technique of:  T1219
Tactic: Command and Control
Platforms: Linux, Windows, macOS
Version: 1.0
Created: 20 March 2025
Last Modified: 15 April 2025
Version Permalink

Mitigations

ID Mitigation Description
M1038 Execution Prevention

Use Group Policies to require user authentication by disabling anonymous tunnel access, preventing any unauthenticated tunnel creation or usage. Disable the Visual Studio Dev Tunnels feature to block tunnel-related commands, allowing only minimal exceptions for utility functions (unset, echo, ping, and user). Restrict tunnel access to approved Microsoft Entra tenant IDs by specifying allowed tenants; all other users are denied access by default.[4][5]

Detection

ID Data Source Data Component Detects
DS0022 File File Creation

Monitor for the creation of the file code_tunnel.json within the .vscode-cli directory in a user's home profile (~/.vscode-cli/code_tunnel.json on Linux/macOS or %UserProfile%\.vscode-cli\code_tunnel.json on Windows), which signals a Visual Studio Code tunnel has been established.[3]

Analytic 1 - Monitor for active or persistent VS Code Tunnel

sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11(file_path="\.vscode-cli\code_tunnel.json" OR file_path="/.vscode-cli/code_tunnel.json")| stats min(_time) as creation_time by host, user, file_path| sort creation_time

DS0029 Network Traffic Network Connection Creation

Network traffic directed to *.tunnels.api.visualstudio.com or *.devtunnels.ms indicate that a system is attempting to initiate or maintain a Visual Studio Code remote tunnel.[6]

Analytic 1 - Detect active IDE tunnel to VSCode or JetBrains cloud relay

sourcetype="stream:http" OR sourcetype="stream:tcp"(dest_domain=".tunnels.api.visualstudio.com" OR dest_domain=".devtunnels.ms")| stats count by _time, src_ip, dest_ip, dest_domain, uri_path| sort _time desc
DS0009 Process Process Creation

On Windows, monitor for executions of code.exe with arguments such as tunnel, --remote, or --host. On macOS, monitor processes like code or jetbrains-gateway launched with similar remote access flags. On Linux, track the execution of code, jetbrains-gateway, or ssh with tunneling options like -R, -L, or -D. These process-creation events can indicate attempts to establish remote tunnels through IDEs.

Analytic 1 - Detect interactive remote access session initiated by IDE

sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1(Image="\code.exe" OR Image="/code" OR Image="/jetbrains-gateway" OR Image="/ssh")(CommandLine="tunnel" OR CommandLine="--remote" OR CommandLine="-R" OR CommandLine="-L" OR CommandLine="-D*")| table _time, host, user, Image, CommandLine, ParentImage| sort _time desc

References

  1. Aleksandar Milenkoski, Luigi Martire. (2024, December 10). Operation Digital Eye | Chinese APT Compromises Critical Digital Infrastructure via Visual Studio Code Tunnels. Retrieved February 27, 2025.
  2. Tom Fakterman. (2024, September 6). Chinese APT Abuses VSCode to Target Government in Asia. Retrieved March 24, 2025.
  3. Truvis Thornton. (2023, September 25). Visual Studio Code: embedded reverse shell and how to block, create Sentinel Detection, and add Environment Prevention. Retrieved March 24, 2025.
  1. Derek Bekoe, Carolina Uribe. (2023, March 28). Configure and deploy Group Policy Administrative Templates for Dev Tunnels. Retrieved March 24, 2025.
  2. Carolina Uribe. (2024, May 28). Manage Dev Tunnels with Group Policies. Retrieved April 8, 2025.
  3. Mnemonic. (n.d.). Advisory: Misuse of Visual Studio Code for traffic tunnelling. Retrieved March 30, 2025.