Skip to content

DET0133 IDE Tunneling Detection via Process, File, and Network Behaviors

Item Value
ID DET0133
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1219.001 (IDE Tunneling)

Analytics

Windows

AN0375

Detection of the creation of VSCode or JetBrains CLI tunneling profiles followed by persistent remote access via IDE-integrated tunnels, potentially authenticated via GitHub or JetBrains accounts.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Network Connection Creation (DC0082) NSM:Flow Outbound connection to .tunnels.api.visualstudio.com or .devtunnels.ms
Mutable Elements
Field Description
TimeWindow Used to define the temporal proximity between tunnel profile creation and outbound connection.
TunnelDomainPatterns Domain patterns for tunnel endpoints may change with IDE versions or organizations.
AuthorizedUserList Helps filter tunnel usage from trusted developer accounts.

Linux

AN0376

Creation of VSCode tunnel configuration file combined with interactive remote session via code CLI or ssh with JetBrains gateway.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve on code or jetbrains-gateway with remote flags
File Creation (DC0039) auditd:SYSCALL open: Write to ~/.vscode-cli/code_tunnel.json
Network Connection Creation (DC0082) NSM:Flow Connections to *.devtunnels.ms or tunnels.api.visualstudio.com
Mutable Elements
Field Description
PathRegex Regex patterns for user home directory file paths may vary by distro or user.
TunnelCLIFlags Tunnel flags used by CLI tools can be customized or obfuscated by adversaries.
Username The Linux user account associated with tunnel initiation; may vary across developer environments
TunnelArtifactPath The filepath to the .vscode-cli/code_tunnel.json file may vary by distribution or IDE version
CommandLineFlags Different IDEs or wrapper scripts may launch with different tunnel-related CLI options (e.g., –remote, –host)

macOS

AN0377

Detection of JetBrains or VSCode tunnel profile creation followed by unusual persistent SSH or IDE-based tunnel communications to devtunnel APIs.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog process: code or jetbrains-gateway launching with –tunnel or –remote
File Creation (DC0039) macos:unifiedlog creation of ~/.vscode-cli/code_tunnel.json
Network Connection Creation (DC0082) NSM:Flow HTTPs connection to tunnels.api.visualstudio.com
Mutable Elements
Field Description
ParentProcessName Helps scope tunnel launch context to non-interactive or suspicious parent processes.
RemoteTunnelPersistence Allows tracking of tunnel re-establishment across reboots for persistence.
RemoteFlag May include values like –remote, -R, or embedded ssh arguments passed by IDEs
LaunchAgentPath If the IDE uses persistence via LaunchAgents, defenders may choose where to monitor for tunnel auto-launching
TunnelReconnectInterval Frequency of retry attempts for tunnel reconnection can affect correlation window