From b60b6e2af3e6bd673cb855e36f937416cf3f2ee5 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Mon, 16 Sep 2024 07:39:39 +0100 Subject: [PATCH] [New] Attempt to establish VScode Remote Tunnel (#4061) * [New] Attempt to establish VScode Remote Tunnel * Update command_and_control_tunnel_vscode.toml * Update command_and_control_tunnel_vscode.toml * Update command_and_control_tunnel_vscode.toml * Update rules/windows/command_and_control_tunnel_vscode.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> --- ...ommand_and_control_common_webservices.toml | 6 +- .../command_and_control_tunnel_vscode.toml | 60 +++++++++++++++++++ 2 files changed, 64 insertions(+), 2 deletions(-) create mode 100644 rules/windows/command_and_control_tunnel_vscode.toml diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index f6703c421..b1edfe829 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/16" +updated_date = "2024/09/09" [transform] [[transform.osquery]] @@ -219,7 +219,9 @@ network where host.os.type == "windows" and network.protocol == "dns" and "run.mocky.io", "mockbin.org", "www.googleapis.com", - "googleapis.com") and + "googleapis.com", + "global.rel.tunnels.api.visualstudio.com", + "*.devtunnels.ms") and /* Insert noisy false positives here */ not ( diff --git a/rules/windows/command_and_control_tunnel_vscode.toml b/rules/windows/command_and_control_tunnel_vscode.toml new file mode 100644 index 000000000..4f7b0ab35 --- /dev/null +++ b/rules/windows/command_and_control_tunnel_vscode.toml @@ -0,0 +1,60 @@ +[metadata] +creation_date = "2024/09/09" +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] +maturity = "production" +min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." +min_stack_version = "8.13.0" +updated_date = "2024/09/09" + +[rule] +author = ["Elastic"] +description = """ +Detects the execution of the VScode portable binary with the tunnel command line option indicating an +attempt to establish a remote tunnel session to Github or a remote VScode instance. +""" +from = "now-9m" +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] +language = "eql" +license = "Elastic License v2" +name = "Attempt to Establish VScode Remote Tunnel" +references = [ + "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://code.visualstudio.com/docs/remote/tunnels" +] +risk_score = 47 +rule_id = "0b96dfd8-5b8c-4485-9a1c-69ff7839786a" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: System", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.args : "tunnel" and (process.args : "--accept-server-license-terms" or process.name : "code*.exe") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1219" +name = "Remote Access Software" +reference = "https://attack.mitre.org/techniques/T1219/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" +