AN0377: Analytic 0377
Detection of JetBrains or VSCode tunnel profile creation followed by unusual persistent SSH or IDE-based tunnel communications to devtunnel APIs.
Analyst context for executives and security teams
This analytic is about spotting macOS developer tooling being used to create JetBrains or VSCode tunnel profiles and then maintain unusual SSH or IDE-based tunnel communications to devtunnel APIs. For security leaders, the practical issue is not the tools themselves—they may be legitimate—but whether developer tunnel features can create unmanaged remote access paths that bypass normal access reviews, network controls, and incident visibility.
Executive priority
Prioritize this where macOS developer workstations are material to engineering, product delivery, or sensitive code access. Leaders should ask whether sanctioned remote development workflows are documented, whether persistent tunnel activity is visible to the SOC, and whether exceptions are governed. This can support operational resilience and audit readiness by clarifying which remote access paths are approved, monitored, and removable during an incident.
Technical view
For SOC and detection teams, validate visibility on macOS endpoints for JetBrains or VSCode tunnel profile creation and correlate that activity with sustained or unusual outbound SSH or IDE tunnel communications to devtunnel APIs. Because no ATT&CK detection logic or relationships are supplied, teams should treat this as a detection-validation prompt: define normal developer tunnel behavior, identify persistence or long-lived sessions, and distinguish sanctioned remote development from unexpected profile creation or communications patterns.
Likely telemetry
- macOS endpoint process execution and parent-child process context for JetBrains, VSCode, SSH, and related helper processes
- File or configuration monitoring for IDE tunnel profile creation or modification
- Network telemetry showing outbound SSH or IDE-based tunnel communications
- DNS, proxy, firewall, or EDR network records for connections to devtunnel APIs
- User, host, and device inventory context to confirm whether the macOS system is an approved developer workstation
Detection direction
- Baseline expected JetBrains and VSCode tunnel usage on macOS before alerting on all tunnel activity, because developer tooling can be legitimate.
- Correlate profile creation with subsequent persistent or unusual outbound tunnel communications rather than treating either event alone as conclusive.
- Tune by user role, host ownership, approved development workflows, and known engineering environments to reduce false positives.
- Look for blind spots where macOS endpoint telemetry, IDE configuration changes, DNS/proxy logs, or long-lived outbound session data are not collected.
- Since no official detection logic is provided, test local analytic assumptions with representative sanctioned developer activity and incident-response review criteria.
Mitigation priorities
- Establish and document approved remote development and IDE tunnel usage for macOS developer systems.
- Limit tunnel capability to authorized users, devices, and business workflows where feasible.
- Ensure macOS endpoint, network, DNS/proxy, and configuration telemetry needed for this analytic is retained and accessible to the SOC.
- Create incident-response procedures for validating and disabling unauthorized IDE or SSH tunnel profiles on developer workstations.
- Review identity, device posture, and access governance for developer accounts that can create persistent remote development tunnels.
Analyst notes and limits
The object is a detection analytic in the enterprise ATT&CK domain for macOS. It specifically references JetBrains or VSCode tunnel profile creation followed by unusual persistent SSH or IDE-based tunnel communications to devtunnel APIs. No tactics, relationships, aliases, or official detection implementation are supplied, so local engineering workflow context is essential for interpretation.
This take is limited to the supplied ATT&CK fields and external reference. It does not establish adversary use, impact, attribution, prevalence, or guaranteed detection. The official detection field is not provided, and no relationship context is supplied, so detection content must be developed and validated against local macOS developer tooling, network architecture, and approved remote access practices.
Analytic 0377
Detection of JetBrains or VSCode tunnel profile creation followed by unusual persistent SSH or IDE-based tunnel communications to devtunnel APIs.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 52d963b64692… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0377Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.