T1219.001 IDE Tunneling is a sub-technique of Remote Access Tools (T1219) in the MITRE ATT&CK framework, used by adversaries to create a secure, encapsulated communications channel into a compromised system by exploiting the features of an Integrated Development Environment (IDE). IDEs are commonly used by developers for remote coding and debugging, but adversaries can abuse them to establish covert access.
IDE Tunneling combines tools such as SSH, port forwarding, file sharing, and debugging into a single, encrypted tunnel. This allows attackers to interact with a system as if they were physically present, often blending with legitimate developer activities. By using this method, adversaries can avoid detection by security systems that focus on more traditional remote access techniques or malicious traffic.
To read about other sub-techniques of the T1219 Remote Access Tools technique, you can visit the related hub blog.
Adversaries use T1219.001 IDE Tunneling to establish secure, undetected access to compromised systems by exploiting developer tools that are often trusted and overlooked by traditional security measures. By leveraging the features of IDEs, attackers can create tunnels that mimic normal developer workflows, blending in with legitimate development and debugging activities.
In essence, IDE Tunneling allows adversaries to operate stealthily within a network, blending into normal development workflows while maintaining secure, persistent access to compromised environments.
The T1219.001 IDE Tunneling technique was introduced by MITRE ATT&CK in March 2025. One active use of this technique was documented in a China-based attack campaign [1].
The adversaries obtained Visual Studio Code (either portable or pre-installed) on compromised systems and executed code.exe tunnel to initiate the Remote Tunneling feature. This command caused the VS Code client to establish an outbound HTTPS connection to Microsoft's tunnel relay infrastructure and generate an authentication URL.
The adversaries navigated to this URL and authenticated using their own controlled GitHub account credentials. This OAuth flow bound the tunnel session to the adversaries' identity rather than any legitimate organizational account, registering the compromised machine as an accessible endpoint in their tunnel registry.
Once authenticated, Microsoft's cloud infrastructure acted as a relay broker between the adversaries' client (accessed through vscode.dev in a browser) and the compromised host. The victim machine maintained a persistent outbound WebSocket connection to Microsoft's Azure-hosted relay servers. When the adversaries connected using their authenticated session, the relay forwarded encrypted traffic bidirectionally without requiring inbound connections on the compromised system.
This created a reverse proxy architecture where all communication traversed Microsoft's trusted infrastructure using standard HTTPS on port 443, bypassing firewall egress filtering and appearing as legitimate developer traffic.
The tunnel provided the adversaries with a browser-based VS Code environment connected directly to the compromised system. Through the integrated terminal, they executed reconnaissance commands, deployed additional malware payloads, and created password-protected RAR archives for data exfiltration. The file system explorer enabled direct file manipulation, while the terminal sessions ran with the same privileges as the code.exe process.
To maintain access across reboots, the adversaries created a Windows scheduled task that executed startcode.bat at system startup. This helper script launched code.exe tunnel with flags like --accept-server-license-terms and --name to automatically re-establish the tunnel connection without user interaction. The scheduled task ensured the outbound connection to Microsoft's relay servers persisted independently of user sessions.
The technique evaded detection because code.exe is a legitimate Microsoft-signed executable, all network traffic was encrypted HTTPS to trusted Microsoft Azure domains, and no adversary-controlled infrastructure was required. The process tree in Cortex XDR showed code.exe as the parent of terminal sessions executing commands and tools, but the legitimate process signature prevented application whitelisting blocks and reduced endpoint detection alerting.
[1] T. Fakterman, “Chinese APT Abuses VSCode to Target Government in Asia,” Unit 42, Sep. 06, 2024. Available: https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/. [Accessed: Dec. 18, 2025]