Potential Protocol Tunneling via Yuze

  1[metadata]
  2creation_date = "2026/03/18"
  3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2026/05/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies execution of Yuze, a lightweight open-source tunneling tool used for intranet penetration. Yuze supports
 11forward and reverse SOCKS5 proxy tunneling and is typically executed via rundll32 loading yuze.dll with the RunYuze
 12export. Threat actors may use it to proxy C2 or pivot traffic.
 13"""
 14from = "now-9m"
 15index = [
 16    "endgame-*",
 17    "logs-crowdstrike.fdr*",
 18    "logs-endpoint.events.process-*",
 19    "logs-m365_defender.event-*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21    "logs-system.security*",
 22    "logs-windows.sysmon_operational-*",
 23    "winlogbeat-*",
 24]
 25language = "eql"
 26license = "Elastic License v2"
 27name = "Potential Protocol Tunneling via Yuze"
 28note = """## Triage and analysis
 29
 30### Investigating Potential Protocol Tunneling via Yuze
 31
 32Yuze is a C-based tunneling tool used for intranet penetration and supports forward and reverse SOCKS5 proxy tunneling. It is commonly executed as `rundll32 yuze.dll,RunYuze reverse -c <ip>:<port>` and has been observed in threat actor campaigns.
 33
 34### Possible investigation steps
 35
 36- Confirm the command line contains `yuze.dll` and `RunYuze`; typical form is `rundll32 yuze.dll,RunYuze reverse -c <ip>:<port>`.
 37- Extract the remote endpoint from the `-c` argument (C2 or relay) and look up the IP/domain in threat intelligence.
 38- Locate where yuze.dll was loaded from; check file creation time to see if it was recently dropped.
 39- Identify the parent process that started rundll32 (script, scheduled task, exploit, etc.) to understand the execution chain.
 40- Correlate with network events for outbound connections from this host to the IP/port in the command line.
 41
 42### False positive analysis
 43
 44- Legitimate use of Yuze is rare; most hits are likely malicious or red-team. If you use Yuze for authorized testing, consider an exception by host or user.
 45
 46### Response and remediation
 47
 48- Isolate the host and terminate the rundll32 process.
 49- Remove yuze.dll from disk and hunt for other copies or related artifacts.
 50- Block the C2/relay IP or domain at DNS/firewall; rotate credentials if the tunnel was used for access.
 51"""
 52
 53setup = """## Setup
 54
 55This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
 56
 57Setup instructions: https://ela.st/install-elastic-defend
 58
 59### Additional data sources
 60
 61This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
 62
 63- [CrowdStrike](https://ela.st/crowdstrike-integration)
 64- [Microsoft Defender XDR](https://ela.st/m365-defender)
 65- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
 66- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
 67- [Windows Process Creation Logs](https://ela.st/audit-process-creation)
 68"""
 69
 70references = [
 71    "https://attack.mitre.org/techniques/T1572/",
 72    "https://github.com/P001water/yuze",
 73    "https://www.trendmicro.com/tr_tr/research/26/c/dissecting-a-warlock-attack.html",
 74]
 75risk_score = 47
 76rule_id = "e7f2c4a1-9b3d-5e8f-c6a0-2d1b4e7f8c3a"
 77severity = "medium"
 78tags = [
 79    "Domain: Endpoint",
 80    "OS: Windows",
 81    "Use Case: Threat Detection",
 82    "Tactic: Command and Control",
 83    "Resources: Investigation Guide",
 84    "Data Source: Elastic Defend",
 85    "Data Source: Sysmon",
 86    "Data Source: SentinelOne",
 87    "Data Source: Microsoft Defender XDR",
 88    "Data Source: Crowdstrike", 
 89    "Data Source: Elastic Endgame", 
 90    "Data Source: Windows Security Event Logs"
 91]
 92timestamp_override = "event.ingested"
 93type = "eql"
 94
 95query = '''
 96process where host.os.type == "windows" and event.type == "start" and
 97  ( 
 98    (process.args : "reverse" and process.args : ("-c", "-s")) or 
 99    (process.args : ("proxy", "fwd") and process.args : "-l") 
100   ) and 
101  (?process.code_signature.exists == false or process.name : "rundll32.exe")
102'''
103
104
105[[rule.threat]]
106framework = "MITRE ATT&CK"
107
108[[rule.threat.technique]]
109id = "T1090"
110name = "Proxy"
111reference = "https://attack.mitre.org/techniques/T1090/"
112
113[[rule.threat.technique]]
114id = "T1572"
115name = "Protocol Tunneling"
116reference = "https://attack.mitre.org/techniques/T1572/"
117
118[rule.threat.tactic]
119id = "TA0011"
120name = "Command and Control"
121reference = "https://attack.mitre.org/tactics/TA0011/"
122
123[[rule.threat]]
124framework = "MITRE ATT&CK"
125
126[[rule.threat.technique]]
127id = "T1218"
128name = "System Binary Proxy Execution"
129reference = "https://attack.mitre.org/techniques/T1218/"
130
131[[rule.threat.technique.subtechnique]]
132id = "T1218.011"
133name = "Rundll32"
134reference = "https://attack.mitre.org/techniques/T1218/011/"
135
136[rule.threat.tactic]
137id = "TA0005"
138name = "Defense Evasion"
139reference = "https://attack.mitre.org/tactics/TA0005/"