PUA - NPS Tunneling Tool Execution
Detects the use of NPS, a port forwarding and intranet penetration proxy server
Sigma rule (View on GitHub)
1title: PUA - NPS Tunneling Tool Execution
2id: 68d37776-61db-42f5-bf54-27e87072d17e
3status: test
4description: Detects the use of NPS, a port forwarding and intranet penetration proxy server
5references:
6 - https://github.com/ehang-io/nps
7author: Florian Roth (Nextron Systems)
8date: 2022-10-08
9modified: 2024-11-23
10tags:
11 - attack.command-and-control
12 - attack.t1090
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_img:
18 Image|endswith: '\npc.exe'
19 selection_cli_1:
20 CommandLine|contains|all:
21 - ' -server='
22 - ' -vkey='
23 - ' -password='
24 selection_cli_2:
25 CommandLine|contains: ' -config=npc'
26 selection_hashes:
27 # v0.26.10
28 Hashes|contains:
29 - "MD5=AE8ACF66BFE3A44148964048B826D005"
30 - "SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181"
31 - "SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856"
32 condition: 1 of selection_*
33falsepositives:
34 - Legitimate use
35level: high
References
-
一款轻量级、高性能、功能强大的内网穿透代理服务器。支持tcp、udp、socks5、http等几乎所有流量转发,可用来访问内网网站、本地支付接口调试、ssh访问、远程桌面,内网dns解析、内网socks5代理等等……,并带有功能强大的web管理端。a lightweight, high-performance, powerful intranet penetration proxy serv...
Read More
Related rules
- PUA - Fast Reverse Proxy (FRP) Execution
- PUA- IOX Tunneling Tool Execution
- Cloudflared Tunnel Connections Cleanup
- Cloudflared Tunnel Execution
- Communication To LocaltoNet Tunneling Service Initiated