PUA - Fast Reverse Proxy (FRP) Execution
Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.
Sigma rule (View on GitHub)
1title: PUA - Fast Reverse Proxy (FRP) Execution
2id: 32410e29-5f94-4568-b6a3-d91a8adad863
3status: test
4description: Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.
5references:
6 - https://asec.ahnlab.com/en/38156/
7 - https://github.com/fatedier/frp
8author: frack113, Florian Roth
9date: 2022-09-02
10modified: 2024-11-23
11tags:
12 - attack.command-and-control
13 - attack.t1090
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 Image|endswith:
20 - '\frpc.exe'
21 - '\frps.exe'
22 selection_cli:
23 CommandLine|contains: '\frpc.ini'
24 selection_hashes:
25 # v0.44.0
26 Hashes|contains:
27 - "MD5=7D9C233B8C9E3F0EA290D2B84593C842"
28 - "SHA1=06DDC9280E1F1810677935A2477012960905942F"
29 - "SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C"
30 condition: 1 of selection_*
31falsepositives:
32 - Legitimate use
33level: high
References
-
Recently, there have been frequent incidents where attackers infiltrated and took control of the internal network of Korean companies, starting with vulnerable servers externally exposed. Cases of Attacks Targeting Vulnerable Atlassian Confluence Servers Meterpreter Distributed to Vulnerable Server of Korean Medical Institution AsyncRAT Being Distributed to Vulnerable MySQL Servers This is a case of infiltration […]
Read More -
A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet. - fatedier/frp
Read More
Related rules
- PUA - NPS Tunneling Tool Execution
- PUA- IOX Tunneling Tool Execution
- Cloudflared Tunnel Connections Cleanup
- Cloudflared Tunnel Execution
- Communication To LocaltoNet Tunneling Service Initiated