From e506e4574a47c92de1db8a25acf6e76665c6e39e Mon Sep 17 00:00:00 2001 From: Kamran Saifullah - Frog Man <16836050+deFr0ggy@users.noreply.github.com> Date: Mon, 20 Nov 2023 04:22:15 -0800 Subject: [PATCH] Merge PR #4580 from @deFr0ggy - Update VsCode/DevTunnels Communication Related Rules new: DNS Query To Devtunnels Domain - Split rule based on b3e6418f-7c7a-4fad-993a-93b65027a9f1 new: Network Connection Initiated To DevTunnels Domain new: Network Connection Initiated To Visual Studio Code Tunnels Domain update: DNS Query To Visual Studio Code Tunnels Domain - Update the rule to only focus on DNS requests from Vscode tunnels and move the logic of Devtunnels to another rule. To ease FP management for users that leverage one but not the other. --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- ...dns_query_win_devtunnels_communication.yml | 32 +++++++++++++++++++ ..._query_win_vscode_tunnel_communication.yml | 21 +++++++----- ...et_connection_win_devtunnel_connection.yml | 32 +++++++++++++++++++ ...onnection_win_vscode_tunnel_connection.yml | 32 +++++++++++++++++++ 4 files changed, 109 insertions(+), 8 deletions(-) create mode 100644 rules/windows/dns_query/dns_query_win_devtunnels_communication.yml create mode 100644 rules/windows/network_connection/net_connection_win_devtunnel_connection.yml create mode 100644 rules/windows/network_connection/net_connection_win_vscode_tunnel_connection.yml diff --git a/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml b/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml new file mode 100644 index 00000000000..54b62bfd967 --- /dev/null +++ b/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml @@ -0,0 +1,32 @@ +title: DNS Query To Devtunnels Domain +id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b +related: + - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels + type: similar + - id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode + type: similar + - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode + type: similar +status: experimental +description: | + Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. +references: + - https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2 + - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security + - https://cydefops.com/devtunnels-unleashed +author: citron_ninja +date: 2023/10/25 +modified: 2023/11/20 +tags: + - attack.command_and_control + - attack.t1071.001 +logsource: + category: dns_query + product: windows +detection: + selection: + QueryName|endswith: '.devtunnels.ms' + condition: selection +falsepositives: + - Legitimate use of Devtunnels will also trigger this. +level: medium diff --git a/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml b/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml index aa898fb474b..d03bca54df3 100644 --- a/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml +++ b/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml @@ -1,15 +1,22 @@ -title: DNS Query To Devtunnels And VsCode Tunnels +title: DNS Query To Visual Studio Code Tunnels Domain id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 +related: + - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels + type: similar + - id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode + type: similar + - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels + type: similar status: experimental description: | - Detects DNS query to Devtunnels and Visual Studio Code tunnel domains. Attackers can be abuse these features to establish a reverse shell. + Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. references: - https://ipfyx.fr/post/visual-studio-code-tunnel/ - https://badoption.eu/blog/2023/01/31/code_c2.html - - https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2 - - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security + - https://cydefops.com/vscode-data-exfiltration author: citron_ninja date: 2023/10/25 +modified: 2023/11/20 tags: - attack.command_and_control - attack.t1071.001 @@ -18,10 +25,8 @@ logsource: product: windows detection: selection: - QueryName|endswith: - - '.tunnels.api.visualstudio.com' - - '.devtunnels.ms' + QueryName|endswith: '.tunnels.api.visualstudio.com' condition: selection falsepositives: - - Legitimate use of Visual Studio Code tunnel will also trigger this + - Legitimate use of Visual Studio Code tunnel will also trigger this. level: medium diff --git a/rules/windows/network_connection/net_connection_win_devtunnel_connection.yml b/rules/windows/network_connection/net_connection_win_devtunnel_connection.yml new file mode 100644 index 00000000000..33680cfd9a2 --- /dev/null +++ b/rules/windows/network_connection/net_connection_win_devtunnel_connection.yml @@ -0,0 +1,32 @@ +title: Network Connection Initiated To DevTunnels Domain +id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 +related: + - id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode + type: similar + - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode + type: similar + - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels + type: similar +status: experimental +description: | + Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. +references: + - https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2 + - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security + - https://cydefops.com/devtunnels-unleashed +author: Kamran Saifullah +date: 2023/11/20 +tags: + - attack.exfiltration + - attack.t1567.001 +logsource: + category: network_connection + product: windows +detection: + selection: + Initiated: 'true' + DestinationHostname|endswith: '.devtunnels.ms' + condition: selection +falsepositives: + - Legitimate use of Devtunnels will also trigger this. +level: medium diff --git a/rules/windows/network_connection/net_connection_win_vscode_tunnel_connection.yml b/rules/windows/network_connection/net_connection_win_vscode_tunnel_connection.yml new file mode 100644 index 00000000000..64c07283510 --- /dev/null +++ b/rules/windows/network_connection/net_connection_win_vscode_tunnel_connection.yml @@ -0,0 +1,32 @@ +title: Network Connection Initiated To Visual Studio Code Tunnels Domain +id: 4b657234-038e-4ad5-997c-4be42340bce4 +related: + - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels + type: similar + - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode + type: similar + - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels + type: similar +status: experimental +description: | + Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. +references: + - https://ipfyx.fr/post/visual-studio-code-tunnel/ + - https://badoption.eu/blog/2023/01/31/code_c2.html + - https://cydefops.com/vscode-data-exfiltration +author: Kamran Saifullah +date: 2023/11/20 +tags: + - attack.exfiltration + - attack.t1567.001 +logsource: + category: network_connection + product: windows +detection: + selection: + Initiated: 'true' + DestinationHostname|endswith: '.tunnels.api.visualstudio.com' + condition: selection +falsepositives: + - Legitimate use of Visual Studio Code tunnel will also trigger this. +level: medium