DET0561: Detect malicious IDE extension install/usage and IDE tunneling
This detection strategy matters because malicious IDE extensions can turn developer workstations into a persistence point. Even though the detection strate...
Analyst context for executives and security teams
This detection strategy matters because malicious IDE extensions can turn developer workstations into a persistence point. Even though the detection strategy object has no official detection text, its relationship to ATT&CK technique T1176.002 indicates the business issue: developer tools such as IDEs often have trusted access to source code, credentials, build workflows, and internal services, so extension install and use should be treated as a control and monitoring surface, not just a developer preference.
Executive priority
Prioritize this where developers or engineers use IDEs on Linux, macOS, or Windows systems and where those systems can access source repositories, CI/CD tooling, cloud credentials, or production-adjacent environments. Leaders should ask whether the organization can inventory IDE extensions, govern approved sources, investigate suspicious extension behavior, and preserve evidence from developer endpoints during an incident. This is especially relevant to software supply chain risk, identity access exposure, and audit evidence for endpoint and development-environment controls.
Technical view
The supplied ATT&CK relationship says DET0561 detects T1176.002, IDE Extensions, under the persistence tactic. SOC and detection teams should validate whether they can observe extension installation, update, execution, and unusual IDE-driven network activity across Linux, macOS, and Windows developer endpoints. Because the official detection field is not provided, teams should build local detection logic from available telemetry: endpoint process events, filesystem changes in IDE extension directories, extension marketplace or package download activity, IDE child processes, credential or repository access patterns, and network connections consistent with IDE tunneling or unexpected remote access behavior.
Likely telemetry
- Endpoint process creation and parent-child process relationships involving IDE applications
- Filesystem events for IDE extension installation, update, or modification locations
- Developer workstation software inventory and installed extension inventory
- Network connection logs from IDE processes, including unusual outbound tunnels or remote endpoints
- Web/proxy/DNS logs for extension marketplace, package, or external service access
Detection direction
- Baseline approved IDEs, extension sources, and commonly used extensions before alerting on every install event.
- Prioritize suspicious combinations: new or rarely seen extension installation followed by persistent IDE activity, unusual child processes, unexpected outbound connections, or access to sensitive developer resources.
- Tune for developer workflow noise; extension updates, marketplace access, Git integrations, Docker integrations, and build tasks may be normal in engineering environments.
- Look for blind spots on unmanaged developer endpoints, contractor machines, local admin workstations, and systems where endpoint telemetry excludes developer tool directories.
- Use relationship context from T1176.002 to treat confirmed malicious extension activity as potential persistence, not only as unwanted software.
Mitigation priorities
- Establish an approved IDE and extension governance process for developer endpoints.
- Restrict or monitor extension installation sources where operationally feasible.
- Maintain asset and software inventory that includes developer tools and installed extensions.
- Apply least privilege to developer workstations and separate routine development access from high-risk administrative or production access.
- Ensure endpoint, network, and identity logs from developer systems are retained long enough to support incident response.
Analyst notes and limits
This take is based on the detection strategy metadata and its ATT&CK relationship to T1176.002, IDE Extensions. The object itself does not provide an official description, detection logic, platforms, or tactics, so the technical guidance is framed as validation direction rather than a claim of specific MITRE-provided analytics.
The official detection strategy fields are sparse. Local IDE usage, extension policy, endpoint management coverage, and available telemetry will determine whether this behavior can be detected reliably. No active exploitation, attribution, or guaranteed detection coverage is implied by the supplied data.
Detect malicious IDE extension install/usage and IDE tunneling
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1176.002 | IDE Extensions Sub-technique | This object detects IDE Extensions. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 43979653c3ad… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0561Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.