Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.

Read More

Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.

Read More

Detects potentially suspicious execution of the Qemu utility in a Windows environment. Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.

Read More

Will detect the presence of known SSH client and SSH server strings that have been used for SSH tunneling.

Read More

Detects port forwarding activity via SSH.exe

Read More

Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.

Read More

Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.

Read More

Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors

Read More

Detects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.

Read More

Execution of plink to perform data exfiltration and tunneling

Read More

Execution of ssh.exe to perform data exfiltration and tunneling through RDP

Read More

Detects the use of 3proxy, a tiny free proxy server

Read More

Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. Involved domains are bin.equinox.io for download and *.ngrok.io for connections.

Read More

Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389

Read More

Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443

Read More

Detects Silence EmpireDNSAgent as described in the Group-IP report

Read More

Detects suspicious Plink tunnel port forwarding to a local port

Read More