Create proc_creation_win_code_devtunnel_tunneling.yaml

[0xAnalyst]

Summary of the Pull Request

Changelog

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

• If your PR adds new rules, please consider following and applying these conventions

[github-actions]

Welcome @0xAnalyst 👋

It looks like this is your first pull request on the Sigma rules repository!

Please make sure to read the SigmaHQ conventions document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.

Thanks again, and welcome to the Sigma community! 😃

[frack113]

HI,
There are allready some rules :

• https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml
• https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml
• https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml
• https://github.com/SigmaHQ/sigma/blob/master/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml

I'm surprised by the the field ProcessVersionInfoProductName

[0xAnalyst]

HI, There are allready some rules :

• https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml
• https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml
• https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml
• https://github.com/SigmaHQ/sigma/blob/master/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml

I'm surprised by the the field ProcessVersionInfoProductName

This is not only vscode it also cater for devtunnel commandline parameters https://detect.fyi/detecting-dev-tunnels-16f0994dc3e2. I didn't see that in the repo hence the new rule

[0xAnalyst]

@frack113 Thank you I commited the changes. this is my first sigma rule so your help is much appreciated

[0xAnalyst]

HI, There are allready some rules :

• https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml
• https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml
• https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml
• https://github.com/SigmaHQ/sigma/blob/master/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml

I'm surprised by the the field ProcessVersionInfoProductName

Apart from EDR ProcessVersionInfoProductName this will be available in sysmon log so not sure if I should keep it to windows events or put sysmon in there? @frack113 @nasbench. can also change it to Image if that works

[frack113]

ProcessVersionInfoProductName

In the sysmon event (but not in the windows 4688) you have:

• Description
• Product
• Company
• OriginalFileName

Can be somethink like this

    selection_exe:
        - Image|endswith:
            - '\code.exe'
            - '\devtunnel.exe'
        - OriginalFileName:
            - 'code.exe' ???
            - 'devtunnel.exe' ???
    selection_cli_tunel:
        CommandLine|contains: 'tunnel'
    selection_cli_temporary:
    selection_cli_persistent:
    condition: selection_exe and 1 of selection_cli_*

[0xAnalyst]

ProcessVersionInfoProductName

In the sysmon event (but not in the windows 4688) you have:

• Description
• Product
• Company
• OriginalFileName

Can be somethink like this

    selection_exe:
        - Image|endswith:
            - '\code.exe'
            - '\devtunnel.exe'
        - OriginalFileName:
            - 'code.exe' ???
            - 'devtunnel.exe' ???
    selection_cli_tunel:
        CommandLine|contains: 'tunnel'
    selection_cli_temporary:
    selection_cli_persistent:
    condition: selection_exe and 1 of selection_cli_*

I changed it to reflect windows event logs now with Image so all should be ok now

|  selection_cli:
        Image|endswith: 'code.exe'
        CommandLine|contains: 'tunnel'
    selection_temporary:
        CommandLine|contains|all:
            - 'host'
            - 'allow-anonymous'
    selection_persistent:
        CommandLine|contains|all:
            - 'port'
            - 'create'
            - '-p'

[frack113]

Sorry,
As the file extension was yaml not yml , some validation workflows were not used.

[frack113]

LGTM

[0xAnalyst]

Can this get merged?

[nasbench]

Can this get merged?

Are you in a rush or something?

[0xAnalyst]

Can this get merged?

Are you in a rush or something?

hahhaha nope all good

[0xAnalyst]

I think I am unable to create pull request can you help me add this new sigma rule

https://github.com/0xAnalyst/sigma/blob/master/rules/windows/network_connection/net_connection_win_domain_Bublup.yml

@nasbench @frack113
title: Potential Data Exfiltration to Bublup.com
id: 61b9d488-49f6-44e5-a9fa-d0a4dfdbfd85
status: experimental
description: Detects network connections to bublup.com, a legitimate cloud storage platform abused by threat actors (e.g., BlackSuit ransomware) for data exfiltration.
references:

• https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/
• https://unit42.paloaltonetworks.com/threat-assessment-blacksuit-ransomware-ignoble-scorpius/
  author: 0xAnalyst
  date: 2025/04/09
  logsource:
  category: network_connection
  product: windows
  detection:
  selection:
  Initiated: 'true'
  DestinationHostname|endswith: '.bublup.com'
  condition: selection
  falsepositives:
• Legitimate use of bublup.com for personal or approved business activity
  level: high
  tags:
• attack.exfiltration
• attack.t1567.002