HackTool - Htran/NATBypass Execution
Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)
Sigma rule (View on GitHub)
1title: HackTool - Htran/NATBypass Execution
2id: f5e3b62f-e577-4e59-931e-0a15b2b94e1e
3status: test
4description: Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)
5references:
6 - https://github.com/HiwinCN/HTran
7 - https://github.com/cw1997/NATBypass
8author: Florian Roth (Nextron Systems)
9date: 2022-12-27
10modified: 2023-02-04
11tags:
12 - attack.command-and-control
13 - attack.t1090
14 - attack.s0040
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img:
20 Image|endswith:
21 - '\htran.exe'
22 - '\lcx.exe'
23 selection_cli:
24 CommandLine|contains:
25 - '.exe -tran '
26 - '.exe -slave '
27 condition: 1 of selection_*
28falsepositives:
29 - Unknown
30level: high
References
Related rules
- Cloudflared Tunnel Connections Cleanup
- Cloudflared Tunnel Execution
- Communication To LocaltoNet Tunneling Service Initiated
- Communication To LocaltoNet Tunneling Service Initiated - Linux
- Communication To Ngrok Tunneling Service - Linux