Detects potentially suspicious execution of the Qemu utility in a Windows environment. Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.

Read More

Detects the execution of the "curl.exe" command, referencing "SOCKS" and ".onion" domains, which could be indicative of Kalambur backdoor activity.

Read More

Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.

Read More

Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.

Read More

Detects the use of NPS, a port forwarding and intranet penetration proxy server

Read More

Detects the use of IOX - a tool for port forwarding and intranet proxy purposes

Read More

Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.

Read More

Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.

Read More

Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.

Read More

Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.

Read More

Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors

Read More

Detects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.

Read More

Detects setting proxy configuration

Read More

Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)

Read More

Indicates sign-in from a malicious IP address based on high failure rates.

Read More

Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.

Read More

Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule

Read More

Detects the modification of the PortProxy registry key which is used for port forwarding.

Read More

Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour

Read More

Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule

Read More

Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server.

Read More

Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity

Read More