AN0376: Analytic 0376
Creation of VSCode tunnel configuration file combined with interactive remote session via code CLI or ssh with JetBrains gateway.
Analyst context for executives and security teams
This analytic concerns Linux systems where a VSCode tunnel configuration file is created alongside an interactive remote session using the code CLI or SSH with JetBrains Gateway. For leaders, the practical issue is governance and visibility over remote developer access: legitimate tools can create interactive pathways into systems, so the business question is whether those pathways are approved, logged, and reviewable during an incident.
Executive priority
Prioritize this where Linux developer workstations, build hosts, or administration systems are important to operations. Security leaders should ask whether remote development tooling is authorized, whether SSH and code-based remote sessions are covered by monitoring, and whether audit evidence can show who initiated interactive access and when. Because ATT&CK provides no tactic or official detection logic for this analytic, it should be treated as a coverage-validation item rather than a standalone risk conclusion.
Technical view
For SOC and detection engineering, validate whether Linux telemetry can correlate two conditions: creation of a VSCode tunnel configuration file and an interactive remote session involving the code CLI or SSH with JetBrains Gateway. The useful detection question is not simply whether these tools exist, but whether configuration creation and interactive access occur together in a way that is expected for that host and user. Since no ATT&CK detection text or relationships are supplied, local baselining and approved-tool context are required.
Likely telemetry
- Linux file creation or modification events for VSCode tunnel configuration artifacts
- Linux process execution telemetry for the code CLI
- SSH client and session logs related to interactive remote access
- User, host, and timestamp context to correlate configuration creation with session activity
- Asset inventory or software inventory showing authorized VSCode, JetBrains Gateway, and SSH usage
Detection direction
- Confirm endpoint or audit logging captures both configuration-file creation and process/session activity on Linux systems.
- Correlate VSCode tunnel configuration creation with nearby interactive sessions using code CLI or SSH with JetBrains Gateway.
- Tune against known developer workflows to reduce false positives from approved remote development activity.
- Review gaps where developer endpoints, build systems, or administrative Linux hosts lack file creation, process execution, or SSH session telemetry.
- Because no official detection logic is provided, document local assumptions, data sources, and test cases before treating alerts as reliable.
Mitigation priorities
- Define which remote development tools and tunnel features are approved for Linux systems.
- Apply least-privilege and SSH access governance for users who can initiate interactive sessions.
- Maintain asset and software inventory for systems where VSCode, JetBrains Gateway, code CLI, or SSH-based remote development is permitted.
- Ensure logging retention supports incident response review of configuration creation and interactive session timelines.
- Use security policy, change control, and user education to distinguish sanctioned remote development from unapproved access paths.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a technique, and has no tactics, relationships, aliases, or official detection content. The key decision value is validating whether the organization can observe and govern this remote-development pattern on Linux systems.
This take is limited to the official fields provided: Linux platform, the analytic description, and the MITRE external reference. It does not establish maliciousness, attribution, prevalence, impact, or detection coverage. Local environment evidence is required to determine whether observed activity is authorized or suspicious.
Analytic 0376
Creation of VSCode tunnel configuration file combined with interactive remote session via code CLI or ssh with JetBrains gateway.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | efdb98cfd38c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0376Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.