Microsoft Dev Tunnels: Tunnelling C2 and More

This report explains how attackers can misuse Microsoft Dev Tunnels to hide command-and-control traffic and create persistent remote access (including RDP/SSH) by leveraging legitimate Microsoft domains and tunneling infrastructure. It includes examples of Cobalt Strike configuration, a PowerShell-based persistence technique using GitHub device authentication, recommended detections (process/module, TLS/domain anomalies, loopback RDP brute-force thresholds), memory forensic guidance, and IOCs such as devtunnel executable and DLL hashes and related domains.