THREAT OPS › Threat News › The Accidental C2: Exploring Dev Tunnels for Remote Access
The Accidental C2: Exploring Dev Tunnels for Remote Access
<p class="wp-block-paragraph"><strong><em>TL;DR:</em> </strong><em>Dev Tunnels aren’t “just port forwarding”. They consist of layers of embedded protocols with RPC messages being exchanged. Once you peel the layers, you quickly see how Dev Tunnels are a C2 framework with extra steps.</em></p>
<h2 class="wp-block-heading" id="h-introduction">Introduction</h2>
<p class="wp-block-pa
MITRE ATT&CK techniques
Indicators of compromise
- 74e0475cda48f26d653aab5b5a959ca2md5
- https://a5n51h3l-{port}.uks1.devtunnels.ms/url
- https://a5n51h3l.uks1.devtunnels.ms/url
- https://a5n51h3l-31545.uks1.devtunnels.ms/url
- https://a5n51h3l-31545-inspect.uks1.devtunnels.ms/url
- https://entrascopes.com/url
- https://entrascopes.com/?appId=aebc6443-996d-45c2-90f0-388ff96faa56url
- https://entrascopes.com/?resource=46da2f7e-b5ef-422a-88d4-2a7f9de6a0b2url
- https://entrascopes.com/?appId=872cd9fa-d31f-45e0-9eab-6e460a02d1f1url
- https://entrascopes.com/?foci=trueurl
- http://straiker.aiurl
- https://www.straiker.ai/blog/nomshub-cursor-remote-tunneling-sandbox-breakouturl
- a5n51h3l@ssh.uks1.devtunnels.msemail
- global.rel.tunnels.api.visualstudio.comdomain
- uks1-data.rel.tunnels.api.visualstudio.comdomain
- clusterid.rel.tunnels.api.visualstudio.comdomain
- login.microsoftonline.comdomain
Original source: https://specterops.io/blog/2026/05/06/dev-tunnels-the-accidental-c2/