Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)
Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.
Detects the use of NPS, a port forwarding and intranet penetration proxy server
Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule
Detects the use of IOX - a tool for port forwarding and intranet proxy purposes
Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour
Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity
Indicates sign-in from a malicious IP address based on high failure rates.
Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.
Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server.
Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.
Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.
Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule
Detects setting proxy configuration
Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.