From b13eb6f4fd788a2c5da2c8d697460c240b9fff67 Mon Sep 17 00:00:00 2001
From: Kamran Saifullah - Frog Man <16836050+deFr0ggy@users.noreply.github.com>
Date: Sun, 15 Oct 2023 01:05:54 +0300
Subject: [PATCH] DevTunnels - Other MS Binary for Data Exfiltration (#327)

* Add files via upload

* updated devtunnels.yml

* Update devtunnels.yml

* Update devtunnels.yml

* Update devtunnels.yml

* Updated Priviliges
---
 yml/OtherMSBinaries/devtunnels.yml | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 yml/OtherMSBinaries/devtunnels.yml

diff --git a/yml/OtherMSBinaries/devtunnels.yml b/yml/OtherMSBinaries/devtunnels.yml
new file mode 100644
index 0000000..630fcd7
--- /dev/null
+++ b/yml/OtherMSBinaries/devtunnels.yml
@@ -0,0 +1,26 @@
+---
+Name: devtunnel.exe
+Description: Binary to enable forwarded ports on windows operating systems.
+Author: Kamran Saifullah
+Created: 2023-09-16
+Commands:
+  - Command: devtunnel.exe host -p 8080
+    Description: Enabling a forwarded port for locally hosted service at port 8080 to be exposed on the internet.
+    Usecase: Download Files, Upload Files, Data Exfiltration
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    OperatingSystem: Windows 10, Windows 11, MacOS
+Full_Path:
+  - Path: C:\Users\<username>\AppData\Local\Temp\.net\devtunnel\
+  - Path: C:\Users\<username>\AppData\Local\Temp\DevTunnels
+Detection:
+  - IOC: devtunnel.exe binary spawned
+  - IOC: '*.devtunnels.ms'
+  - IOC: '*.*.devtunnels.ms'
+  - Analysis: https://cydefops.com/vscode-data-exfiltration
+Resources:
+  - Link: https://code.visualstudio.com/docs/editor/port-forwarding
+Acknowledgement:
+  - Person: Kamran Saifullah
+    Handle: '@deFr0ggy'