attack.t1090 | Detection.FYI

HackTool - Htran/NATBypass Execution

Dec 1, 2023 · attack.command_and_control attack.t1090 attack.s0040 ·
Share on:

Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)

Read More
PUA - Fast Reverse Proxy (FRP) Execution

Dec 1, 2023 · attack.command_and_control attack.t1090 ·
Share on:

Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.

Read More
PUA - NPS Tunneling Tool Execution

Dec 1, 2023 · attack.command_and_control attack.t1090 ·
Share on:

Detects the use of NPS, a port forwarding and intranet penetration proxy server

Read More
New Port Forwarding Rule Added Via Netsh.EXE

Oct 18, 2023 · attack.lateral_movement attack.defense_evasion attack.command_and_control attack.t1090 ·
Share on:

Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule

Read More
PUA- IOX Tunneling Tool Execution

Oct 18, 2023 · attack.command_and_control attack.t1090 ·
Share on:

Detects the use of IOX - a tool for port forwarding and intranet proxy purposes

Read More
Communication To Ngrok Tunneling Service

Oct 17, 2023 · attack.exfiltration attack.command_and_control attack.t1567 attack.t1568.002 attack.t1572 attack.t1090 attack.t1102 attack.s0508 ·
Share on:

Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors

Read More
Communication To Ngrok Tunneling Service - Linux

Oct 17, 2023 · attack.exfiltration attack.command_and_control attack.t1567 attack.t1568.002 attack.t1572 attack.t1090 attack.t1102 attack.s0508 ·
Share on:

Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors

Read More
Ngrok Usage with Remote Desktop Service

Oct 17, 2023 · attack.command_and_control attack.t1090 ·
Share on:

Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour

Read More
Suspicious TCP Tunnel Via PowerShell Script

Oct 17, 2023 · attack.command_and_control attack.t1090 ·
Share on:

Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity

Read More
Malicious IP Address Sign-In Failure Rate

Sep 11, 2023 · attack.t1090 attack.command_and_control ·
Share on:

Indicates sign-in from a malicious IP address based on high failure rates.

Read More
Malicious IP Address Sign-In Suspicious

Sep 11, 2023 · attack.t1090 attack.command_and_control ·
Share on:

Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.

Read More
Sign-In From Malware Infected IP

Sep 6, 2023 · attack.t1090 attack.command_and_control ·
Share on:

Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server.

Read More
Cloudflared Tunnel Connections Cleanup

May 17, 2023 · attack.command_and_control attack.t1102 attack.t1090 attack.t1572 ·
Share on:

Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.

Read More
Cloudflared Tunnel Execution

May 17, 2023 · attack.command_and_control attack.t1102 attack.t1090 attack.t1572 ·
Share on:

Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.

Read More
RDP Port Forwarding Rule Added Via Netsh.EXE

Feb 16, 2023 · attack.lateral_movement attack.defense_evasion attack.command_and_control attack.t1090 ·
Share on:

Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule

Read More
Connection Proxy

Oct 25, 2022 · attack.defense_evasion attack.t1090 ·
Share on:

Detects setting proxy configuration

Read More
PortProxy Registry Key

Oct 9, 2022 · attack.lateral_movement attack.defense_evasion attack.command_and_control attack.t1090 ·
Share on:

Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.

Read More