HackTool - Htran/NATBypass Execution
Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)
Sigma rule (View on GitHub)
1title: HackTool - Htran/NATBypass Execution
2id: f5e3b62f-e577-4e59-931e-0a15b2b94e1e
3status: test
4description: Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)
5references:
6 - https://github.com/HiwinCN/HTran
7 - https://github.com/cw1997/NATBypass
8author: Florian Roth (Nextron Systems)
9date: 2022/12/27
10modified: 2023/02/04
11tags:
12 - attack.command_and_control
13 - attack.t1090
14 - attack.s0040
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img:
20 Image|endswith:
21 - '\htran.exe'
22 - '\lcx.exe'
23 selection_cli:
24 CommandLine|contains:
25 - '.exe -tran '
26 - '.exe -slave '
27 condition: 1 of selection_*
28falsepositives:
29 - Unknown
30level: high
References
-
HTran is a connection bouncer, a kind of proxy server. A “listener” program is hacked stealthily onto an unsuspecting host anywhere on the Internet. When it receives signals from the actual target...
Read More -
一款lcx在golang下的实现, 可用于内网穿透, 建立TCP反弹隧道用以绕过防火墙入站限制等, This tool is used to establish reverse tunnel in NAT network environment, it can bypass firewall inbound restriction, support all functions of lcx....
Read More
Related rules
- PUA - Fast Reverse Proxy (FRP) Execution
- PUA - NPS Tunneling Tool Execution
- New Port Forwarding Rule Added Via Netsh.EXE
- Communication To Ngrok Tunneling Service - Linux
- Ngrok Usage with Remote Desktop Service