LOLBAS/yml/OtherMSBinaries/devtunnels.yml
Kamran Saifullah - Frog Man b13eb6f4fd
DevTunnels - Other MS Binary for Data Exfiltration (#327)
* Add files via upload

* updated devtunnels.yml

* Update devtunnels.yml

* Update devtunnels.yml

* Update devtunnels.yml

* Updated Priviliges
2023-10-15 00:05:54 +02:00

27 lines
934 B
YAML

---
Name: devtunnel.exe
Description: Binary to enable forwarded ports on windows operating systems.
Author: Kamran Saifullah
Created: 2023-09-16
Commands:
- Command: devtunnel.exe host -p 8080
Description: Enabling a forwarded port for locally hosted service at port 8080 to be exposed on the internet.
Usecase: Download Files, Upload Files, Data Exfiltration
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10, Windows 11, MacOS
Full_Path:
- Path: C:\Users\<username>\AppData\Local\Temp\.net\devtunnel\
- Path: C:\Users\<username>\AppData\Local\Temp\DevTunnels
Detection:
- IOC: devtunnel.exe binary spawned
- IOC: '*.devtunnels.ms'
- IOC: '*.*.devtunnels.ms'
- Analysis: https://cydefops.com/vscode-data-exfiltration
Resources:
- Link: https://code.visualstudio.com/docs/editor/port-forwarding
Acknowledgement:
- Person: Kamran Saifullah
Handle: '@deFr0ggy'