Sigma rules for CVE-2024-0092
14 rules · scoped to cve · back to CVE-2024-0092
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Renamed Visual Studio Code Tunnel Execution
id: 2cf29f11-e356-4f61-98c0-1bdb9393d6da
status: test
description: Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
references:
- https://ipfyx.fr/post/visual-studio-code-tunnel/
- https://badoption.eu/blog/2023/01/31/code_c2.html
- https://code.visualstudio.com/docs/remote/tunnels
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-28
modified: 2025-10-29
tags:
- attack.command-and-control
- attack.t1071.001
- attack.t1219
logsource:
category: process_creation
product: windows
detection:
selection_image_only_tunnel:
OriginalFileName: null
CommandLine|endswith: '.exe tunnel'
selection_image_tunnel_args:
CommandLine|contains|all:
- '.exe tunnel'
- '--accept-server-license-terms'
selection_image_tunnel_service:
CommandLine|contains|all:
- 'tunnel '
- 'service'
- 'internal-run'
- 'tunnel-service.log'
selection_parent_tunnel:
ParentCommandLine|endswith: ' tunnel'
Image|endswith: '\cmd.exe'
CommandLine|contains|all:
- '/d /c '
- '\servers\Stable-'
- 'code-server.cmd'
filter_main_parent_code:
ParentImage|endswith:
- '\code-tunnel.exe'
- '\code.exe'
filter_main_image_code:
Image|endswith:
- '\code-tunnel.exe'
- '\code.exe'
condition: (1 of selection_image_* and not 1 of filter_main_image_*) or (selection_parent_tunnel and not 1 of filter_main_parent_*)
falsepositives:
- Unknown
level: high
title: Network Connection Initiated To Visual Studio Code Tunnels Domain
id: 4b657234-038e-4ad5-997c-4be42340bce4
related:
- id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels
type: similar
- id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode
type: similar
- id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels
type: similar
status: test
description: |
Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
- https://ipfyx.fr/post/visual-studio-code-tunnel/
- https://badoption.eu/blog/2023/01/31/code_c2.html
- https://cydefops.com/vscode-data-exfiltration
author: Kamran Saifullah
date: 2023-11-20
tags:
- attack.exfiltration
- attack.command-and-control
- attack.t1567
- attack.t1572
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationHostname|endswith: '.tunnels.api.visualstudio.com'
condition: selection
falsepositives:
- Legitimate use of Visual Studio Code tunnel will also trigger this.
level: medium
title: Visual Studio Code Tunnel Remote File Creation
id: 56e05d41-ce99-4ecd-912d-93f019ee0b71
status: test
description: |
Detects the creation of file by the "node.exe" process in the ".vscode-server" directory. Could be a sign of remote file creation via VsCode tunnel feature
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-25
tags:
- attack.command-and-control
logsource:
category: file_event
product: windows
detection:
selection:
Image|contains: '\servers\Stable-'
Image|endswith: '\server\node.exe'
TargetFilename|contains: '\.vscode-server\data\User\History\'
condition: selection
falsepositives:
- Unknown
level: medium
title: DNS Query To Visual Studio Code Tunnels Domain
id: b3e6418f-7c7a-4fad-993a-93b65027a9f1
related:
- id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels
type: similar
- id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode
type: similar
- id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels
type: similar
status: test
description: |
Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
- https://ipfyx.fr/post/visual-studio-code-tunnel/
- https://badoption.eu/blog/2023/01/31/code_c2.html
- https://cydefops.com/vscode-data-exfiltration
author: citron_ninja
date: 2023-10-25
modified: 2023-11-20
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|endswith: '.tunnels.api.visualstudio.com'
condition: selection
falsepositives:
- Legitimate use of Visual Studio Code tunnel will also trigger this.
level: medium
title: Visual Studio Code Tunnel Execution
id: 90d6bd71-dffb-4989-8d86-a827fedd6624
status: test
description: Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
references:
- https://ipfyx.fr/post/visual-studio-code-tunnel/
- https://badoption.eu/blog/2023/01/31/code_c2.html
- https://code.visualstudio.com/docs/remote/tunnels
author: Nasreddine Bencherchali (Nextron Systems), citron_ninja
date: 2023-10-25
modified: 2025-10-29
tags:
- attack.command-and-control
- attack.t1071.001
- attack.t1219
logsource:
category: process_creation
product: windows
detection:
selection_only_tunnel:
OriginalFileName: null
CommandLine|endswith: '.exe tunnel'
selection_tunnel_args:
CommandLine|contains|all:
- '.exe tunnel'
- '--accept-server-license-terms'
selection_parent_tunnel:
ParentCommandLine|endswith: ' tunnel'
Image|endswith: '\cmd.exe'
CommandLine|contains|all:
- '/d /c '
- '\servers\Stable-'
- 'code-server.cmd'
condition: 1 of selection_*
falsepositives:
- Legitimate use of Visual Studio Code tunnel
level: medium
title: Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution
id: a20391f8-76fb-437b-abc0-dba2df1952c6
related:
- id: 65c3ca2c-525f-4ced-968e-246a713d164f
type: similar
status: test
description: Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary
references:
- https://twitter.com/mrd0x/status/1463526834918854661
- https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-11
modified: 2023-04-11
tags:
- attack.execution
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\Microsoft.NodejsTools.PressAnyKey.exe'
condition: selection
falsepositives:
- Legitimate use by developers as part of NodeJS development with Visual Studio Tools
level: medium
title: Visual Studio Code Tunnel Shell Execution
id: f4a623c2-4ef5-4c33-b811-0642f702c9f1
status: test
description: Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system.
references:
- https://ipfyx.fr/post/visual-studio-code-tunnel/
- https://badoption.eu/blog/2023/01/31/code_c2.html
- https://code.visualstudio.com/docs/remote/tunnels
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-25
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains: '\servers\Stable-'
ParentImage|endswith: '\server\node.exe'
ParentCommandLine|contains: '.vscode-server' # Technically one can host its own local server instead of using the VsCode one. And that would probably change the name (requires further research)
# Note: Child processes (ie: shells) can be whatever technically (with some efforts)
selection_child_1:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains: '\terminal\browser\media\shellIntegration.ps1'
selection_child_2:
Image|endswith:
- '\wsl.exe'
- '\bash.exe'
condition: selection_parent and 1 of selection_child_*
falsepositives:
- Legitimate use of Visual Studio Code tunnel and running code from there
level: medium
title: Malicious PE Execution by Microsoft Visual Studio Debugger
id: 15c7904e-6ad1-4a45-9b46-5fb25df37fd2
status: test
description: |
There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger.
This option may be used adversaries to execute malicious code by signed verified binary.
The debugger is installed alongside with Microsoft Visual Studio package.
references:
- https://twitter.com/pabraeken/status/990758590020452353
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/
- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019
author: Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community
date: 2020-10-14
modified: 2022-10-09
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\vsjitdebugger.exe'
reduction1:
Image|endswith: '\vsimmersiveactivatehelper*.exe'
reduction2:
Image|endswith: '\devenv.exe'
condition: selection and not (reduction1 or reduction2)
falsepositives:
- The process spawned by vsjitdebugger.exe is uncommon.
level: medium
title: Visual Studio Code Tunnel Service Installation
id: 30bf1789-379d-4fdc-900f-55cd0a90a801
status: test
description: Detects the installation of VsCode tunnel (code-tunnel) as a service.
references:
- https://ipfyx.fr/post/visual-studio-code-tunnel/
- https://badoption.eu/blog/2023/01/31/code_c2.html
- https://code.visualstudio.com/docs/remote/tunnels
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-25
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'tunnel '
- 'service'
- 'internal-run'
- 'tunnel-service.log'
condition: selection
falsepositives:
- Legitimate installation of code-tunnel as a service
level: medium
title: Visual Studio NodejsTools PressAnyKey Renamed Execution
id: 65c3ca2c-525f-4ced-968e-246a713d164f
related:
- id: a20391f8-76fb-437b-abc0-dba2df1952c6
type: similar
status: test
description: Detects renamed execution of "Microsoft.NodejsTools.PressAnyKey.exe", which can be abused as a LOLBIN to execute arbitrary binaries
references:
- https://twitter.com/mrd0x/status/1463526834918854661
- https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
date: 2023-04-11
tags:
- attack.execution
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName: 'Microsoft.NodejsTools.PressAnyKey.exe'
filter_main_legit_name:
Image|endswith: '\Microsoft.NodejsTools.PressAnyKey.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
title: Potential Persistence Via Visual Studio Tools for Office
id: 9d15044a-7cfe-4d23-8085-6ebc11df7685
status: test
description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.
references:
- https://twitter.com/_vivami/status/1347925307643355138
- https://vanmieghem.io/stealth-outlook-persistence/
author: Bhabesh Raj
date: 2021-01-10
modified: 2026-01-09
tags:
- attack.t1137.006
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\Software\Microsoft\Office\Outlook\Addins\'
- '\Software\Microsoft\Office\Word\Addins\'
- '\Software\Microsoft\Office\Excel\Addins\'
- '\Software\Microsoft\Office\Powerpoint\Addins\'
- '\Software\Microsoft\VSTO\Security\Inclusion\'
filter_main_system:
Image:
- 'C:\Windows\System32\msiexec.exe'
- 'C:\Windows\SysWOW64\msiexec.exe'
- 'C:\Windows\System32\regsvr32.exe'
- 'C:\Windows\SysWOW64\regsvr32.exe' # e.g. default Evernote installation
filter_main_office_click_to_run:
Image|startswith:
- 'C:\Program Files\Common Files (x86)\Microsoft Shared\ClickToRun\'
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
Image|endswith: '\OfficeClickToRun.exe'
filter_main_integrator:
Image:
- 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
- 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
filter_main_office_apps:
Image|startswith:
- 'C:\Program Files\Microsoft Office\OFFICE'
- 'C:\Program Files (x86)\Microsoft Office\OFFICE'
- 'C:\Program Files\Microsoft Office\Root\OFFICE'
- 'C:\Program Files (x86)\Microsoft Office\Root\OFFICE'
- 'C:\PROGRA~2\MICROS~2\Office'
Image|endswith:
- '\excel.exe'
- '\Integrator.exe'
- '\OneNote.exe'
- '\outlook.exe'
- '\powerpnt.exe'
- '\Teams.exe'
- '\visio.exe'
- '\winword.exe'
filter_main_vsto:
Image|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\VSTO\'
- 'C:\Program Files (x86)\Microsoft Shared\VSTO\'
Image|endswith: '\VSTOInstaller.exe'
filter_optional_avg:
Image:
- 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
- 'C:\Program Files (x86)\AVG\Antivirus\RegSvr.exe'
TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'
filter_optional_avast:
Image:
- 'C:\Program Files\Avast Software\Avast\RegSvr.exe'
- 'C:\Program Files (x86)\Avast Software\Avast\RegSvr.exe'
TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Avast.AsOutExt\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate Addin Installation
level: medium
title: Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
id: 6225c53a-a96e-4235-b28f-8d7997cd96eb
related:
- id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a
type: similar
status: experimental
description: |
Detects the tampering of Hypervisor-protected Code Integrity (HVCI) related registry values via command line tool reg.exe.
HVCI uses virtualization-based security to protect code integrity by ensuring that only trusted code can run in kernel mode.
Adversaries may tamper with HVCI to load malicious or unsigned drivers, which can be used to escalate privileges, maintain persistence, or evade security mechanisms.
references:
- https://www.sophos.com/en-us/blog/sharpening-the-knife-gold-blades-strategic-evolution
- https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-26
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\reg.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'reg.exe'
selection_cli:
CommandLine|contains:
- 'add '
- 'New-ItemProperty '
- 'Set-ItemProperty '
- 'si ' # SetItem Alias
selection_cli_base:
CommandLine|contains: '\DeviceGuard'
selection_cli_key:
CommandLine|contains:
- 'EnableVirtualizationBasedSecurity'
- 'HypervisorEnforcedCodeIntegrity'
condition: all of selection_*
falsepositives:
- Legitimate system administration tasks that require disabling HVCI for troubleshooting purposes when certain drivers or applications are incompatible with it.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hvci_registry_tampering/info.yml
simulation:
- type: atomic-red-team
name: Disable Hypervisor-Enforced Code Integrity (HVCI)
technique: T1562.001
atomic_guid: 70bd71e6-eba4-4e00-92f7-617911dbe020
title: Windows Hypervisor Enforced Code Integrity Disabled
id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a
related:
- id: 6225c53a-a96e-4235-b28f-8d7997cd96eb
type: similar
status: test
description: |
Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel
references:
- https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
- https://github.com/redcanaryco/atomic-red-team/blob/04e487c1828d76df3e834621f4f893ea756d5232/atomics/T1562.001/T1562.001.md#atomic-test-43---disable-hypervisor-enforced-code-integrity-hvci
author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati
date: 2023-03-14
modified: 2024-07-05
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith:
- '\Control\DeviceGuard\HypervisorEnforcedCodeIntegrity'
- '\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity\Enabled'
- '\Microsoft\Windows\DeviceGuard\HypervisorEnforcedCodeIntegrity'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Legitimate system administration tasks that require disabling HVCI for troubleshooting purposes when certain drivers or applications are incompatible with it.
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/info.yml
simulation:
- type: atomic-red-team
name: Disable Hypervisor-Enforced Code Integrity (HVCI)
technique: T1562.001
atomic_guid: 70bd71e6-eba4-4e00-92f7-617911dbe020
title: Hypervisor Enforced Paging Translation Disabled
id: 7f2954d2-99c2-4d42-a065-ca36740f187b
status: test
description: |
Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature.
references:
- https://twitter.com/standa_t/status/1808868985678803222
- https://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-05
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\DisableHypervisorEnforcedPagingTranslation'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unknown
level: high