Merge PR #4580 from @deFr0ggy - Update VsCode/DevTunnels Communication Related Rules

deFr0ggy · nasbench · phantinuss · web-flow · commit e506e4574a47 · 2023-11-20T13:22:15.000+01:00
new: DNS Query To Devtunnels Domain - Split rule based on b3e6418f-7c7a-4fad-993a-93b65027a9f1
new: Network Connection Initiated To DevTunnels Domain
new: Network Connection Initiated To Visual Studio Code Tunnels Domain
update: DNS Query To Visual Studio Code Tunnels Domain - Update the rule to only focus on DNS requests from Vscode tunnels and move the logic of Devtunnels to another rule. To ease FP management for users that leverage one but not the other.

---------

Co-authored-by: nasbench &lt;8741929+nasbench@users.noreply.github.com&gt;
Co-authored-by: phantinuss &lt;79651203+phantinuss@users.noreply.github.com&gt;
diff --git a/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml b/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml
@@ -0,0 +1,32 @@
+title: DNS Query To Devtunnels Domain
+id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b
+related:
+    - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels
+      type: similar
+    - id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode
+      type: similar
+    - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode
+      type: similar
+status: experimental
+description: |
+    Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
+references:
+    - https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2
+    - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security
+    - https://cydefops.com/devtunnels-unleashed
+author: citron_ninja
+date: 2023/10/25
+modified: 2023/11/20
+tags:
+    - attack.command_and_control
+    - attack.t1071.001
+logsource:
+    category: dns_query
+    product: windows
+detection:
+    selection:
+        QueryName|endswith: '.devtunnels.ms'
+    condition: selection
+falsepositives:
+    - Legitimate use of Devtunnels will also trigger this.
+level: medium
diff --git a/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml b/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml
@@ -1,15 +1,22 @@
-title: DNS Query To Devtunnels And VsCode Tunnels
+title: DNS Query To Visual Studio Code Tunnels Domain
 id: b3e6418f-7c7a-4fad-993a-93b65027a9f1
+related:
+    - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels
+      type: similar
+    - id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode
+      type: similar
+    - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels
+      type: similar
 status: experimental
 description: |
-    Detects DNS query to Devtunnels and Visual Studio Code tunnel domains. Attackers can be abuse these features to establish a reverse shell.
+    Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
 references:
     - https://ipfyx.fr/post/visual-studio-code-tunnel/
     - https://badoption.eu/blog/2023/01/31/code_c2.html
-    - https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2
-    - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security
+    - https://cydefops.com/vscode-data-exfiltration
 author: citron_ninja
 date: 2023/10/25
+modified: 2023/11/20
 tags:
     - attack.command_and_control
     - attack.t1071.001
@@ -18,10 +25,8 @@ logsource:
     product: windows
 detection:
     selection:
-        QueryName|endswith:
-            - '.tunnels.api.visualstudio.com'
-            - '.devtunnels.ms'
+        QueryName|endswith: '.tunnels.api.visualstudio.com'
     condition: selection
 falsepositives:
-    - Legitimate use of Visual Studio Code tunnel will also trigger this
+    - Legitimate use of Visual Studio Code tunnel will also trigger this.
 level: medium
diff --git a/rules/windows/network_connection/net_connection_win_devtunnel_connection.yml b/rules/windows/network_connection/net_connection_win_devtunnel_connection.yml
@@ -0,0 +1,32 @@
+title: Network Connection Initiated To DevTunnels Domain
+id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4
+related:
+    - id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode
+      type: similar
+    - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode
+      type: similar
+    - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels
+      type: similar
+status: experimental
+description: |
+    Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
+references:
+    - https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2
+    - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security
+    - https://cydefops.com/devtunnels-unleashed
+author: Kamran Saifullah
+date: 2023/11/20
+tags:
+    - attack.exfiltration
+    - attack.t1567.001
+logsource:
+    category: network_connection
+    product: windows
+detection:
+    selection:
+        Initiated: 'true'
+        DestinationHostname|endswith: '.devtunnels.ms'
+    condition: selection
+falsepositives:
+    - Legitimate use of Devtunnels will also trigger this.
+level: medium
diff --git a/rules/windows/network_connection/net_connection_win_vscode_tunnel_connection.yml b/rules/windows/network_connection/net_connection_win_vscode_tunnel_connection.yml
@@ -0,0 +1,32 @@
+title: Network Connection Initiated To Visual Studio Code Tunnels Domain
+id: 4b657234-038e-4ad5-997c-4be42340bce4
+related:
+    - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels
+      type: similar
+    - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode
+      type: similar
+    - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels
+      type: similar
+status: experimental
+description: |
+    Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
+references:
+    - https://ipfyx.fr/post/visual-studio-code-tunnel/
+    - https://badoption.eu/blog/2023/01/31/code_c2.html
+    - https://cydefops.com/vscode-data-exfiltration
+author: Kamran Saifullah
+date: 2023/11/20
+tags:
+    - attack.exfiltration
+    - attack.t1567.001
+logsource:
+    category: network_connection
+    product: windows
+detection:
+    selection:
+        Initiated: 'true'
+        DestinationHostname|endswith: '.tunnels.api.visualstudio.com'
+    condition: selection
+falsepositives:
+    - Legitimate use of Visual Studio Code tunnel will also trigger this.
+level: medium
