Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.
Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.
Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule
Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule
Detects the use of IOX - a tool for port forwarding and intranet proxy purposes
Detects the use of NPS, a port forwarding and intranet penetration proxy server
Detects exeuctable names or flags used by Htran or Htran-like tools (e.g. NATBypass)
Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.
Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour
Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity
Detects setting proxy configuration
Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.