Esc

IDE Tunneling - T1219.001

(ATT&CK® Technique)

Definition

Adversaries may abuse Integrated Development Environment (IDE) software with remote development features to establish an interactive command and control channel on target systems within a network. IDE tunneling combines SSH, port forwarding, file sharing, and debugging into a single secure connection, letting developers work on remote systems as if they were local. Unlike SSH and port forwarding, IDE tunneling encapsulates an entire session and may use proprietary tunneling protocols alongside SSH, allowing adversaries to blend in with legitimate development workflows. Some IDEs, like Visual Studio Code, also provide CLI tools (e.g., code tunnel) that adversaries may use to programmatically establish tunnels and generate web-accessible URLs for remote access. These tunnels can be authenticated through accounts such as GitHub, enabling the adversary to control the compromised system via a legitimate developer portal.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1219001["IDE Tunneling"] --> |produces| OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"]; class T1219001 OffensiveTechniqueNode;
        class OutboundInternetNetworkTraffic ArtifactNode; click OutboundInternetNetworkTraffic href "../../../dao/artifact/d3f:OutboundInternetNetworkTraffic";
        click T1219001 href "../../../offensive-technique/attack/T1219.001/"; click OutboundInternetNetworkTraffic href "../../../dao/artifact/d3f:OutboundInternetNetworkTraffic";Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
          | analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];

          Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
            | may-detect | T1219001["IDE Tunneling"] ;
          class Client-serverPayloadProfiling DefensiveTechniqueNode;
          class OutboundInternetNetworkTraffic ArtifactNode;
          click Client-serverPayloadProfiling href "../../../technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
          | analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];

          NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
            | may-detect | T1219001["IDE Tunneling"] ;
          class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
          class OutboundInternetNetworkTraffic ArtifactNode;
          click NetworkTrafficCommunityDeviation href "../../../technique/d3f:NetworkTrafficCommunityDeviation"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
          | analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];

          PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
            | may-detect | T1219001["IDE Tunneling"] ;
          class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
          class OutboundInternetNetworkTraffic ArtifactNode;
          click PerHostDownload-UploadRatioAnalysis href "../../../technique/d3f:PerHostDownload-UploadRatioAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
          | analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];

          ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
            | may-detect | T1219001["IDE Tunneling"] ;
          class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
          class OutboundInternetNetworkTraffic ArtifactNode;
          click ProtocolMetadataAnomalyDetection href "../../../technique/d3f:ProtocolMetadataAnomalyDetection"; RelayPatternAnalysis["Relay Pattern Analysis"] -->
          | analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];

          RelayPatternAnalysis["Relay Pattern Analysis"] -.->
            | may-detect | T1219001["IDE Tunneling"] ;
          class RelayPatternAnalysis DefensiveTechniqueNode;
          class OutboundInternetNetworkTraffic ArtifactNode;
          click RelayPatternAnalysis href "../../../technique/d3f:RelayPatternAnalysis"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
          | analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];

          RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
            | may-detect | T1219001["IDE Tunneling"] ;
          class RemoteTerminalSessionDetection DefensiveTechniqueNode;
          class OutboundInternetNetworkTraffic ArtifactNode;
          click RemoteTerminalSessionDetection href "../../../technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
          | analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];

          NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
            | may-detect | T1219001["IDE Tunneling"] ;
          class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
          class OutboundInternetNetworkTraffic ArtifactNode;
          click NetworkTrafficSignatureAnalysis href "../../../technique/d3f:NetworkTrafficSignatureAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
          | analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];

          UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
            | may-detect | T1219001["IDE Tunneling"] ;
          class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
          class OutboundInternetNetworkTraffic ArtifactNode;
          click UserGeolocationLogonPatternAnalysis href "../../../technique/d3f:UserGeolocationLogonPatternAnalysis"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
          | filters | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];

          NetworkTrafficFiltering["Network Traffic Filtering"] -.->
            | may-isolate | T1219001["IDE Tunneling"] ;
          class NetworkTrafficFiltering DefensiveTechniqueNode;
          class OutboundInternetNetworkTraffic ArtifactNode;
          click NetworkTrafficFiltering href "../../../technique/d3f:NetworkTrafficFiltering"; OutboundTrafficFiltering["Outbound Traffic Filtering"] -->
          | filters | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];

          OutboundTrafficFiltering["Outbound Traffic Filtering"] -.->
            | may-isolate | T1219001["IDE Tunneling"] ;
          class OutboundTrafficFiltering DefensiveTechniqueNode;
          class OutboundInternetNetworkTraffic ArtifactNode;
          click OutboundTrafficFiltering href "../../../technique/d3f:OutboundTrafficFiltering";

json