Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.

Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.

Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule

Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule

Detects the use of IOX - a tool for port forwarding and intranet proxy purposes

Detects the use of NPS, a port forwarding and intranet penetration proxy server

Detects exeuctable names or flags used by Htran or Htran-like tools (e.g. NATBypass)

Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.

Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors

Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors

Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour

Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity

Detects setting proxy configuration

Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.