PUA - Fast Reverse Proxy (FRP) Execution

calendar Aug 12, 2024 · attack.command-and-control attack.t1090  ·
Share on: linkedin copy

Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.

Sigma rule (View on GitHub)

 1title: PUA - Fast Reverse Proxy (FRP) Execution
 2id: 32410e29-5f94-4568-b6a3-d91a8adad863
 3status: test
 4description: Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.
 5references:
 6    - https://asec.ahnlab.com/en/38156/
 7    - https://github.com/fatedier/frp
 8author: frack113, Florian Roth
 9date: 2022-09-02
10modified: 2023-02-04
11tags:
12    - attack.command-and-control
13    - attack.t1090
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_img:
19        Image|endswith:
20            - '\frpc.exe'
21            - '\frps.exe'
22    selection_cli:
23        CommandLine|contains: '\frpc.ini'
24    selection_hashes:
25        # v0.44.0
26        - Hashes|contains:
27              - "MD5=7D9C233B8C9E3F0EA290D2B84593C842"
28              - "SHA1=06DDC9280E1F1810677935A2477012960905942F"
29              - "SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C"
30        - md5: '7d9c233b8c9e3f0ea290d2b84593c842'
31        - sha1: '06ddc9280e1f1810677935a2477012960905942f'
32        - sha256: '57b0936b8d336d8e981c169466a15a5fd21a7d5a2c7daf62d5e142ee860e387c'
33    condition: 1 of selection_*
34falsepositives:
35    - Legitimate use
36level: high

References

Related rules

to-top