DevTunnels - Other MS Binary for Data Exfiltration (#327)

* Add files via upload * updated devtunnels.yml * Update devtunnels.yml * Update devtunnels.yml * Update devtunnels.yml * Updated Priviliges
2024-10-22 16:49:11 +02:00 · 2023-10-15 01:05:54 +03:00 · 2023-10-15 01:05:54 +03:00 · b13eb6f4fd
commit b13eb6f4fd
parent fa3b5ed33c
1 changed files with 26 additions and 0 deletions
--- a/yml/OtherMSBinaries/devtunnels.yml
+++ b/yml/OtherMSBinaries/devtunnels.yml
@ -0,0 +1,26 @@
+---
+Name: devtunnel.exe
+Description: Binary to enable forwarded ports on windows operating systems.
+Author: Kamran Saifullah
+Created: 2023-09-16
+Commands:
+  - Command: devtunnel.exe host -p 8080
+    Description: Enabling a forwarded port for locally hosted service at port 8080 to be exposed on the internet.
+    Usecase: Download Files, Upload Files, Data Exfiltration
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    OperatingSystem: Windows 10, Windows 11, MacOS
+Full_Path:
+  - Path: C:\Users\<username>\AppData\Local\Temp\.net\devtunnel\
+  - Path: C:\Users\<username>\AppData\Local\Temp\DevTunnels
+Detection:
+  - IOC: devtunnel.exe binary spawned
+  - IOC: '*.devtunnels.ms'
+  - IOC: '*.*.devtunnels.ms'
+  - Analysis: https://cydefops.com/vscode-data-exfiltration
+Resources:
+  - Link: https://code.visualstudio.com/docs/editor/port-forwarding
+Acknowledgement:
+  - Person: Kamran Saifullah
+    Handle: '@deFr0ggy'