AN0375: Analytic 0375
Detection of the creation of VSCode or JetBrains CLI tunneling profiles followed by persistent remote access via IDE-integrated tunnels, potentially authenticated via GitHub or JetBrains accounts.
Analyst context for executives and security teams
AN0375 is a Windows detection analytic focused on IDE-integrated remote tunnels: creation of VSCode or JetBrains CLI tunneling profiles followed by persistent remote access, potentially tied to GitHub or JetBrains accounts. For leaders, the material issue is that developer tooling can become an approved-looking remote access path, which may bypass assumptions built around traditional VPN, RMM, or privileged access controls.
Executive priority
Prioritize this analytic where Windows developer workstations, build systems, or administrative endpoints use VSCode or JetBrains tooling. The key business question is whether the organization can distinguish legitimate developer remote access from persistent access that creates incident response, audit, and access governance risk. This is especially relevant to SOC readiness, identity oversight for GitHub or JetBrains accounts, and evidence that remote access paths are inventoried and monitored.
Technical view
SOC and detection teams should validate whether Windows telemetry can identify creation of VSCode or JetBrains CLI tunneling profiles and subsequent persistent IDE tunnel activity. Because ATT&CK does not provide an official detection query or tactic mapping for this object, teams should treat AN0375 as a coverage-validation prompt rather than a complete rule. Confirm what normal developer use looks like, which endpoints are expected to use IDE tunnels, and whether authentication context involving GitHub or JetBrains accounts can be correlated with endpoint activity.
Likely telemetry
- Windows endpoint process execution and command-line telemetry for VSCode and JetBrains CLI-related activity
- File or configuration change telemetry showing creation or modification of IDE tunneling profiles
- Network connection telemetry from Windows hosts associated with IDE-integrated tunnel activity
- Identity or SaaS authentication logs for GitHub or JetBrains accounts where available
- Endpoint inventory showing where VSCode, JetBrains IDEs, or related CLI components are installed
Detection direction
- Start by inventorying legitimate VSCode and JetBrains tunnel usage on Windows to reduce false positives from approved developer workflows.
- Correlate profile creation with sustained or recurring remote access behavior rather than alerting only on tool presence.
- Tune by user role, host purpose, and expected developer activity; developer workstations may need different baselines than servers or administrative endpoints.
- Look for gaps where endpoint telemetry exists but identity context for GitHub or JetBrains authentication is not available to the SOC.
- Document that ATT&CK provides no official detection logic for this analytic, so local validation and testing are required before relying on it for coverage claims.
Mitigation priorities
- Establish policy and ownership for IDE-integrated remote tunnels, including which users and Windows systems may use them.
- Ensure developer remote access paths are included in access reviews, incident response playbooks, and audit evidence alongside VPN, RMM, and privileged access tooling.
- Limit or monitor persistent tunnel capability where it is not operationally required.
- Improve endpoint and identity log retention so tunnel profile creation and related account authentication can be reconstructed during investigations.
- Use approved software inventory and configuration governance to identify unmanaged VSCode or JetBrains CLI usage on sensitive Windows systems.
Analyst notes and limits
This object is a detection analytic, not a technique. Its value is in highlighting a specific monitoring scenario: IDE tunnel profile creation followed by persistent remote access on Windows. The supplied relationship context is empty, so no ATT&CK tactic, technique, group, malware, or campaign linkage should be inferred.
Official detection content is not provided, tactics are not specified, and no relationships are supplied. Any concrete rule logic, severity, prevalence, attribution, or exposure assessment requires local telemetry, tool inventory, and identity-provider evidence.
Analytic 0375
Detection of the creation of VSCode or JetBrains CLI tunneling profiles followed by persistent remote access via IDE-integrated tunnels, potentially authenticated via GitHub or JetBrains accounts.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0a5fad7f3096… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0375Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.