PUA - 3Proxy Execution

 1title: PUA - 3Proxy Execution
 2id: f38a82d2-fba3-4781-b549-525efbec8506
 3status: test
 4description: Detects the use of 3proxy, a tiny free proxy server
 5references:
 6    - https://github.com/3proxy/3proxy
 7    - https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
 8author: Florian Roth (Nextron Systems)
 9date: 2022-09-13
10modified: 2023-02-21
11tags:
12    - attack.command-and-control
13    - attack.t1572
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_img:
19        Image|endswith: '\3proxy.exe'
20    selection_pe:
21        Description: '3proxy - tiny proxy server'
22    selection_params: # param combos seen in the wild
23        CommandLine|contains: '.exe -i127.0.0.1 -p'
24    condition: 1 of selection_*
25falsepositives:
26    - Administrative activity
27level: high

References

• GitHub - 3proxy/3proxy: 3proxy - tiny free proxy server

  

  3proxy - tiny free proxy server. Contribute to 3proxy/3proxy development by creating an account on GitHub.

  
  Read More

• Lazarus and the tale of three RATs

  

  Cisco Talos assesses with high confidence these attacks have been conducted by the North Korean state-sponsored threat actor Lazarus Group.

  
  Read More

Related rules

• Communication To LocaltoNet Tunneling Service Initiated
• Communication To LocaltoNet Tunneling Service Initiated - Linux
• Communication To Ngrok Tunneling Service - Linux
• Communication To Ngrok Tunneling Service Initiated
• PUA - Ngrok Execution