Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1548: Analytic 1548

Adversary installs or side-loads an IDE extension (VS Code, IntelliJ/JetBrains, Eclipse) or enables IDE tunneling. Chain: (1) IDE binary starts on a non-developer endpoint or server, often with install/force/tunnel flags → (2) extension files/registrations appear under user profile → (3) browser/IDE initiates outbound connections to extension marketplaces, update endpoints, or IDE remote/tunnel services → (4) optional child tools (ssh, node, powershell) execute under the IDE context.

EnterpriseAN1548AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic describes suspicious use of IDE tooling on Windows: an IDE such as VS Code, JetBrains/IntelliJ, or Eclipse appears on a non-developer endpoint or server, installs or side-loads extensions, enables tunneling, connects to marketplaces or remote/tunnel services, and may launch child tools such as ssh, node, or PowerShell. For leaders, the practical issue is that developer tools can create trusted-looking execution, extension, and remote-access paths that may not be governed like standard enterprise software.

Executive priority

Prioritize this where Windows servers or business-user endpoints should not be running IDEs, or where developer workstations have high access to source code, credentials, build systems, or production administration paths. The decision value is asset governance: know where IDEs are authorized, whether extension and tunneling activity is monitored, and whether SOC/IR teams can distinguish legitimate developer activity from unexpected IDE-driven execution. This can support software control evidence, incident scoping, and risk decisions around developer tooling and remote access.

Technical view

Validate coverage for the chain described by the ATT&CK analytic: IDE process starts on Windows, especially on non-developer endpoints or servers; extension files or registrations appear under user profiles; browser or IDE processes make outbound connections to extension marketplaces, update endpoints, or IDE remote/tunnel services; and child processes such as ssh, node, or powershell execute under the IDE context. Because no official detection logic is provided, teams should build local baselines by asset role and user population before alerting broadly.

Likely telemetry

  • Windows process creation events for IDE binaries and child processes
  • Command-line arguments, especially install, force, remote, or tunnel-related flags where available
  • File creation or modification events under user profile locations associated with IDE extensions or registrations
  • Network connection logs or proxy/DNS telemetry for IDE marketplace, update, remote, or tunnel services
  • Asset inventory identifying developer workstations versus non-developer endpoints and servers

Detection direction

  • Start with asset-role logic: IDE execution on Windows servers or non-developer endpoints should be higher priority than IDE activity on known developer workstations.
  • Correlate multiple stages rather than alerting on IDE execution alone: IDE start, extension registration or file creation, outbound service connection, and child tool execution under the IDE process tree.
  • Tune for legitimate software development, updates, and extension management to reduce false positives.
  • Review child processes spawned by IDEs, especially ssh, node, and powershell, because the ATT&CK description highlights optional tool execution under IDE context.
  • Account for blind spots where endpoint telemetry lacks command lines, user-profile file monitoring, proxy/DNS visibility, or process-tree lineage.

Mitigation priorities

  • Maintain an approved-software and asset-role inventory for IDE use on Windows endpoints and servers.
  • Restrict or review IDE installation and extension management on systems where development tooling is not required.
  • Apply network governance for IDE extension marketplaces, update endpoints, and remote/tunnel services according to business need.
  • Ensure least-privilege access for users running IDEs, especially where developer systems can reach sensitive repositories, build pipelines, or administrative environments.
  • Prepare IR playbooks to collect IDE process trees, extension directories, user context, and outbound connection history during triage.
Analyst notes and limits

This object is a detection analytic, not a technique record. It supplies a behavioral chain and Windows platform scope, but no official detection query, tactics, relationships, or mitigation mappings. The strongest use is as a validation checklist for SOC content and endpoint governance around IDE usage, extension activity, and IDE-mediated remote/tunnel behavior.

Assessment is limited to the supplied ATT&CK fields. No relationship context, official detection text, active exploitation claim, attribution, impact statement, or non-Windows platform coverage was provided. Local asset inventory and telemetry quality are required to determine materiality and detection feasibility.

Official MITRE ATT&CK definition

Analytic 1548

Adversary installs or side-loads an IDE extension (VS Code, IntelliJ/JetBrains, Eclipse) or enables IDE tunneling. Chain: (1) IDE binary starts on a non-developer endpoint or server, often with install/force/tunnel flags → (2) extension files/registrations appear under user profile → (3) browser/IDE initiates outbound connections to extension marketplaces, update endpoints, or IDE remote/tunnel services → (4) optional child tools (ssh, node, powershell) execute under the IDE context.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
d71b8115cb878b17...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle d71b8115cb87…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1548
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use