Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.

Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.

Detects Silence EmpireDNSAgent as described in the Group-IP report

Detects the use of 3proxy, a tiny free proxy server

Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. Involved domains are bin.equinox.io for download and *.ngrok.io for connections.

Execution of plink to perform data exfiltration and tunneling

Detects suspicious Plink tunnel port forwarding to a local port

Detects suspicious SSH tunnel port forwarding to a local port

Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors

Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors

Execution of ssh.exe to perform data exfiltration and tunneling through RDP

Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443

Will detect the presence of known SSH client and SSH server strings that have been used for SSH tunneling.

Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389

Execution of well known tools for data exfiltration and tunneling