Legitimate tunneling services used for C2

[p-o-s-t]

Hunt Type 🔥

{"Flames (Hypothesis-Driven)" => "Based on assumptions about adversary behavior or specific activities."}

HEARTH Crafter

@p-o-s-t

Hunt Idea / Hypothesis

An adversary is making use of legitimate tunneling service(s) in their malware to bypass firewalls and establish a connection to a command and control server.

MITRE ATT&CK Tactic

Command and Control

Implementation Notes

Tunneling services such as TryCloudflare and Microsoft Dev Tunnels are used for legitimate purposes to enable developers to securely share local web services across the internet. The presence of programs such as cloudflared.exe or devtunnel.exe are not a strong indicator of malicious activity.

Search Tags

#c2 #tunnel #TA0011 #T1572 #t1102

Value and Impact

• Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and enable access to otherwise unreachable systems.
• Dev Tunnels (Microsoft) create a secure, tempory URL that maps to a local service running on a machine, which works across firewalls and NAT.
• Reverse tunneling tools allow software running on an endpoint to establish an outbound connection to the internet-based tunnel provider, who then provides the "inbound" path to the client system using the reverse tunnel. This can flip the script on typical taffic behavior.
• These services may conceal malicious traffic by blending in with existing traffic and provide an outer layer of encryption.

Knowledge Base

• https://isc.sans.edu/diary/31724
• https://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/
• https://blog.phylum.io/a-deep-dive-into-powerat-a-newly-discovered-stealer-rat-combo-polluting-pypi/
• https://www.esentire.com/blog/quartet-of-trouble-xworm-asyncrat-venomrat-and-purelogs-stealer-leverage-trycloudflare
• https://www.proofpoint.com/us/blog/threat-insight/threat-actor-abuses-cloudflare-tunnels-deliver-rats
• https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview
• https://code.visualstudio.com/docs/remote/tunnels
• H036

[letswastetimee]

✅ A new hunt has been drafted from your submission. Thank you for contributing!

Please review the formatted file here:
View Hunt Draft

If it looks good, add the approved label.

[p-o-s-t]

Format looks good to me.

[letswastetimee]

🚀 Your submission has been approved and a pull request has been created. Thank you!
🔗 View PR: #242