Detecting Abuse of VSCode Remote Tunnels

This report details how attackers abuse VSCode Remote Tunnels to gain remote interactive access and execute code on victim hosts using a chain that typically begins with a malicious LNK invoking PowerShell to fetch and run a Python script which installs/uses the VSCode CLI (code-insiders) to create a tunnel authenticated via GitHub device codes. The author demonstrates the attack flow, notable process/command-line and file-system artifacts, useful SIEM/ELK detection queries (PowerShell download/execution, the --accept-server-license-terms flag, CLI paths, and state.vscdb entries), network domains to monitor/block, and mitigation options including Group Policy restrictions and blocking tunnel domains.