devtunnel.exe

Binary to enable forwarded ports on windows operating systems.

Paths

• C:\Users\<username>\AppData\Local\Temp\.net\devtunnel\devtunnel.exe
• C:\Users\<username>\AppData\Local\Temp\DevTunnels\devtunnel.exe

Commands

Download

Enabling a forwarded port for locally hosted service at port 8080 to be exposed on the internet.

Use case: Download Files, Upload Files, Data Exfiltration

Privileges: User

devtunnel.exe host -p 8080

Detection

• Sigma: https://github.com/SigmaHQ/sigma/blob/c7998c92b3c5f23ea67045bee8ee364d2ed1a775/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml
• Sigma: https://github.com/SigmaHQ/sigma/blob/c7998c92b3c5f23ea67045bee8ee364d2ed1a775/rules/windows/network_connection/net_connection_win_domain_devtunnels.yml
• IOC: devtunnel.exe binary spawned
• IOC: *.devtunnels.ms
• IOC: *.*.devtunnels.ms
• Analysis: https://cydefops.com/vscode-data-exfiltration

Resources

• https://code.visualstudio.com/docs/editor/port-forwarding