Closed netgrain closed 1 week ago
@nasbench Check failed below. Do you want separate titles even if these are different products? (seems that appending
1 | DuplicateTitleIssue | HIGH | Rule title used by multiple rules
DuplicateTitleIssue
Yeah. We want unique titles across all rules. We usually append something like the OS or LogSource to the title (I fixed it for you)
Summary of the Pull Request
Adds analytics to detect tunneling through the LocaltoNet service.
LocaltoNet is a legitimate reverse proxy application that may enable threat actors to perform tactics incl. enabling command-and-control and exfil. Similar to Ngrok.
A recent campaign includes https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications
Changelog
Example Log Event
Install locally via https://localtonet.com/documents. Generates network event id (Sysmon 3 / 5156). Can alternative be captured by DNS-lookup or Proxy logs (http tunneling, not all protocols).