Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0133: IDE Tunneling Detection via Process, File, and Network Behaviors

This detection strategy is meant to help identify abuse of IDE remote development or tunneling features as a command-and-control channel. For leaders, the...

EnterpriseDET0133Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy is meant to help identify abuse of IDE remote development or tunneling features as a command-and-control channel. For leaders, the practical issue is that legitimate developer tooling can create encrypted, interactive access paths that may not look like traditional malware or simple SSH forwarding. That makes this behavior important for organizations with developer workstations, build systems, or remote administration workflows where trusted tools could become a blind spot.

Executive priority

Prioritize this as a control-validation topic where IDE remote development is allowed on Windows, macOS, or Linux systems. The business question is not simply whether IDEs are installed, but whether security teams can distinguish approved developer tunneling from unexpected interactive access, file sharing, debugging, or port-forwarding behavior. This matters for SOC readiness, incident response scoping, identity and access governance, and audit evidence around remote access controls.

Technical view

The supplied ATT&CK object has no official detection text or platform list of its own, but it detects T1219.001, IDE Tunneling, which is associated with command-and-control on Linux, macOS, and Windows. SOC and detection engineering teams should validate visibility across process execution, file activity, and network behavior involving IDE software and remote development features. Useful review points include unexpected IDE child processes, unusual remote tunnel sessions, file transfer or workspace synchronization activity, debugging-related activity, and outbound connections that do not align with approved developer workflows.

Likely telemetry

  • Endpoint process creation and parent-child process relationships for IDE and remote development components
  • Network connection metadata, especially outbound encrypted sessions associated with developer tooling
  • File creation, modification, sharing, or synchronization activity tied to IDE remote workspace features
  • Authentication and access logs for developer systems and remote hosts where available
  • Asset and software inventory showing where IDE remote development tooling is installed or permitted

Detection direction

  • Baseline approved IDE tunneling and remote development use before writing high-severity alerts; legitimate developer activity can otherwise create noise.
  • Correlate process, file, and network behaviors rather than relying on a single indicator, because IDE tunneling can encapsulate several capabilities in one session.
  • Review activity on Linux, macOS, and Windows systems where the related technique applies.
  • Tune for unexpected systems, users, destinations, times, or child processes associated with IDE tooling.
  • Validate whether encrypted or proprietary tunneling protocols reduce network inspection value and whether endpoint telemetry compensates for that blind spot.

Mitigation priorities

  • Define where IDE remote development and tunneling are approved, and document exceptions.
  • Use software inventory and endpoint controls to reduce unapproved IDE tunneling tools or features where they are not needed.
  • Apply identity and access controls to developer accounts and remote hosts, including least privilege and review of remote access permissions.
  • Ensure SOC runbooks cover how to triage suspicious IDE tunneling without disrupting legitimate engineering operations unnecessarily.
  • Maintain compliance evidence showing approved remote development paths, monitoring coverage, and incident response procedures.
Analyst notes and limits

This take is based on the detection strategy metadata and its relationship to ATT&CK technique T1219.001, IDE Tunneling. The object name references process, file, and network behaviors, but the official description and official detection fields are not provided, so recommendations are framed as validation direction rather than prescribed analytics.

ATT&CK provides no official detection logic, no detection text, and no platform list directly on DET0133. Platform and tactic context comes from the related technique only. Local environment evidence is required to determine whether IDE tunneling is permitted, what tools are present, and which telemetry sources are actually collected.

Official MITRE ATT&CK definition

IDE Tunneling Detection via Process, File, and Network Behaviors

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1219.001 IDE Tunneling Sub-technique This object detects IDE Tunneling.
Relationship explorer

All related ATT&CK context

detects · Technique T1219.001: IDE Tunneling Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
dc5db3806cbdb5c0...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle dc5db3806cbd…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0133
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use