The Accidental C2 - Exploring Dev Tunnels for Remote Access

This article explores the repurposing of Visual Studio Code Dev Tunnels for remote access and Command and Control (C2) during Red Team assessments. The research deconstructs the multi-layered protocol—covering REST management, WebSocket tunneling, SSH connection nuances, and MsgPack RPC—to understand how commands are executed and files are manipulated remotely. The author highlights the complexity of the protocol, which deviates from standard SSH implementations to support Microsoft's relay infrastructure.

Beyond protocol analysis, the post identifies critical attack vectors including persistence via compromised hosts, lateral movement through credential extraction from VS Code's internal databases, and initial access via Device Code Phishing. It specifically examines how Entra ID features like Family of Client IDs (FOCI) and Nested App Authentication (BroCI) can be leveraged to mint access tokens for Dev Tunnels. To facilitate this tradecraft, the author introduces Ouroboros, a standalone Rust tool designed to interact with existing tunnels and execute remote RPC commands.

The article also reflects on the evolving role of Large Language Models (LLMs) in cybersecurity research. The author describes using a custom LLM rig to assist in reverse-engineering the codebase and generating code patches, emphasizing that while LLMs accelerate the technical workflow, the strategic framing and discovery of complex attack paths remain the result of human expertise and institutional knowledge.

Read Full Article