Communication To LocaltoNet Tunneling Service Initiated - Linux
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
Sigma rule (View on GitHub)
1title: Communication To LocaltoNet Tunneling Service Initiated - Linux
2id: c4568f5d-131f-4e78-83d4-45b2da0ec4f1
3status: experimental
4description: |
5 Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains.
6 LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.
7 Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
8references:
9 - https://localtonet.com/documents/supported-tunnels
10 - https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications
11author: Andreas Braathen (mnemonic.io)
12date: 2024-06-17
13tags:
14 - attack.command-and-control
15 - attack.t1572
16 - attack.t1090
17 - attack.t1102
18logsource:
19 category: network_connection
20 product: linux
21detection:
22 selection:
23 DestinationHostname|endswith:
24 - '.localto.net'
25 - '.localtonet.com'
26 Initiated: 'true'
27 condition: selection
28falsepositives:
29 - Legitimate use of the LocaltoNet service.
30level: high
References
-
-
UNC3944's recent attacks against SaaS applications provide insights into the group's evolving TTPs.
Read More
Related rules
- Cloudflared Tunnel Connections Cleanup
- Cloudflared Tunnel Execution
- Communication To LocaltoNet Tunneling Service Initiated
- Communication To Ngrok Tunneling Service - Linux
- Communication To Ngrok Tunneling Service Initiated