This article explores the security implications of VS Code Dev Tunnels, demonstrating how they can be repurposed as an unintended Command and Control (C2) infrastructure. By deconstructing the multi-layered protocol—spanning REST management, WebSocket tunneling, SSH, and MsgPack-encoded RPC—the research reveals how an attacker can execute remote commands and manipulate files on a target system using legitimate Microsoft developer tools.
The author introduces "Ouroboros," a custom Rust-based tool designed to list, interact with, and exploit existing dev tunnels. The research further highlights advanced attack paths, including the use of Entra ID Family of Client IDs (FOCI) and Broker-based Nested App Authentication (BroCI) to pivot from standard application tokens to dev tunnel access, providing a potent vector for initial access and lateral movement.
Top comments (0)