Communication To LocaltoNet Tunneling Service Initiated

Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.

Sigma rule (View on GitHub)

 1title: Communication To LocaltoNet Tunneling Service Initiated
 2id: 3ab65069-d82a-4d44-a759-466661a082d1
 3status: experimental
 4description: |
 5    Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains.
 6    LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.
 7    Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.    
 8references:
 9    - https://localtonet.com/documents/supported-tunnels
10    - https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications
11author: Andreas Braathen (mnemonic.io)
12date: 2024-06-17
13tags:
14    - attack.command-and-control
15    - attack.t1572
16    - attack.t1090
17    - attack.t1102
18logsource:
19    category: network_connection
20    product: windows
21detection:
22    selection:
23        DestinationHostname|endswith:
24            - '.localto.net'
25            - '.localtonet.com'
26        Initiated: 'true'
27    condition: selection
28falsepositives:
29    - Legitimate use of the LocaltoNet service.
30level: high

References

Related rules

to-top