[New] Attempt to establish VScode Remote Tunnel (#4061)

* [New] Attempt to establish VScode Remote Tunnel * Update command_and_control_tunnel_vscode.toml * Update command_and_control_tunnel_vscode.toml * Update command_and_control_tunnel_vscode.toml * Update rules/windows/command_and_control_tunnel_vscode.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
2024-09-16 07:39:39 +01:00
parent 3a3400c8e5
commit b60b6e2af3
2 changed files with 64 additions and 2 deletions
@@ -2,7 +2,7 @@
 creation_date = "2020/11/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/07/16"
+updated_date = "2024/09/09"

 [transform]
 [[transform.osquery]]
@@ -219,7 +219,9 @@ network where host.os.type == "windows" and network.protocol == "dns" and
        "run.mocky.io",
        "mockbin.org", 
        "www.googleapis.com", 
-        "googleapis.com") and
+        "googleapis.com",
+        "global.rel.tunnels.api.visualstudio.com",
+        "*.devtunnels.ms") and
        
    /* Insert noisy false positives here */
    not (
@@ -0,0 +1,60 @@
+[metadata]
+creation_date = "2024/09/09"
+integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
+maturity = "production"
+min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
+min_stack_version = "8.13.0"
+updated_date = "2024/09/09"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects the execution of the VScode portable binary with the tunnel command line option indicating an
+attempt to establish a remote tunnel session to Github or a remote VScode instance.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Attempt to Establish VScode Remote Tunnel"
+references = [
+    "https://badoption.eu/blog/2023/01/31/code_c2.html",
+    "https://code.visualstudio.com/docs/remote/tunnels"
+]
+risk_score = 47
+rule_id = "0b96dfd8-5b8c-4485-9a1c-69ff7839786a"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Command and Control",
+    "Data Source: Elastic Endgame",
+    "Data Source: Elastic Defend",
+    "Data Source: Sysmon",
+    "Data Source: SentinelOne",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: System",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where host.os.type == "windows" and event.type == "start" and
+  process.args : "tunnel" and (process.args : "--accept-server-license-terms" or process.name : "code*.exe")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1219"
+name = "Remote Access Software"
+reference = "https://attack.mitre.org/techniques/T1219/"
+
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+