PUA - NPS Tunneling Tool Execution
Detects the use of NPS, a port forwarding and intranet penetration proxy server
Sigma rule (View on GitHub)
1title: PUA - NPS Tunneling Tool Execution
2id: 68d37776-61db-42f5-bf54-27e87072d17e
3status: test
4description: Detects the use of NPS, a port forwarding and intranet penetration proxy server
5references:
6 - https://github.com/ehang-io/nps
7author: Florian Roth (Nextron Systems)
8date: 2022-10-08
9modified: 2023-02-04
10tags:
11 - attack.command-and-control
12 - attack.t1090
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_img:
18 Image|endswith: '\npc.exe'
19 selection_cli_1:
20 CommandLine|contains|all:
21 - ' -server='
22 - ' -vkey='
23 - ' -password='
24 selection_cli_2:
25 CommandLine|contains: ' -config=npc'
26 selection_hashes:
27 # v0.26.10
28 - Hashes|contains:
29 - "MD5=AE8ACF66BFE3A44148964048B826D005"
30 - "SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181"
31 - "SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856"
32 - md5: 'ae8acf66bfe3a44148964048b826d005'
33 - sha1: 'cea49e9b9b67f3a13ad0be1c2655293ea3c18181'
34 - sha256: '5a456283392ffceeeaca3d3426c306eb470304637520d72fed1cc1febbbd6856'
35 condition: 1 of selection_*
36falsepositives:
37 - Legitimate use
38level: high
References
-
一款轻量级、高性能、功能强大的内网穿透代理服务器。支持tcp、udp、socks5、http等几乎所有流量转发,可用来访问内网网站、本地支付接口调试、ssh访问、远程桌面,内网dns解析、内网socks5代理等等……,并带有功能强大的web管理端。a lightweight, high-performance, powerful intranet penetration proxy serv...
Read More
Related rules
- Communication To LocaltoNet Tunneling Service Initiated
- Communication To LocaltoNet Tunneling Service Initiated - Linux
- Communication To Ngrok Tunneling Service - Linux
- Communication To Ngrok Tunneling Service Initiated
- HackTool - Htran/NATBypass Execution