PUA - Fast Reverse Proxy (FRP) Execution

calendar Dec 1, 2023 · attack.command_and_control attack.t1090  ·
Share on: linkedin copy

Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.

Sigma rule (View on GitHub)

 1title: PUA - Fast Reverse Proxy (FRP) Execution
 2id: 32410e29-5f94-4568-b6a3-d91a8adad863
 3status: test
 4description: Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.
 5references:
 6    - https://asec.ahnlab.com/en/38156/
 7    - https://github.com/fatedier/frp
 8author: frack113, Florian Roth
 9date: 2022/09/02
10modified: 2023/02/04
11tags:
12    - attack.command_and_control
13    - attack.t1090
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_img:
19        Image|endswith:
20            - '\frpc.exe'
21            - '\frps.exe'
22    selection_cli:
23        CommandLine|contains: '\frpc.ini'
24    selection_hashes:
25        # v0.44.0
26        - Hashes|contains:
27              - "MD5=7D9C233B8C9E3F0EA290D2B84593C842"
28              - "SHA1=06DDC9280E1F1810677935A2477012960905942F"
29              - "SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C"
30        - md5: '7d9c233b8c9e3f0ea290d2b84593c842'
31        - sha1: '06ddc9280e1f1810677935a2477012960905942f'
32        - sha256: '57b0936b8d336d8e981c169466a15a5fd21a7d5a2c7daf62d5e142ee860e387c'
33    condition: 1 of selection_*
34falsepositives:
35    - Legitimate use
36level: high

References

  • Attackers Using FRP (Fast Reverse Proxy) to Attack Korean Companies - ASEC BLOG

    Recently, there have been frequent incidents where attackers infiltrated and took control of the internal network of Korean companies, starting with vulnerable servers externally exposed. Cases of Attacks Targeting Vulnerable Atlassian Confluence Servers Meterpreter Distributed to Vulnerable Server of Korean Medical Institution AsyncRAT Being Distributed to Vulnerable MySQL Servers This is a case of infiltration into an IIS web server or an MS Exchange server and is the same as previously known types. However, this post will discuss cases that are presumed to be done by a certain hacker group, not by individual attackers. The most significant characteristic of this group is that they use FRP open-source tools. This group finds a server accessible from outside and attacks it, and when infiltration...


    Read More

  • GitHub - fatedier/frp: A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.

    A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet. - fatedier/frp


    Read More

Related rules

to-top