Detectionhightest
Communication To LocaltoNet Tunneling Service Initiated
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsNetwork Connection
ProductWindows← raw: windows
CategoryNetwork Connection← raw: network_connection
Events for outbound and inbound network connections including DNS resolution.
Detection Logic
Detection Logic1 selector
detection:
selection:
DestinationHostname|endswith:
- '.localto.net'
- '.localtonet.com'
Initiated: 'true'
condition: selectionFalse Positives
Legitimate use of the LocaltoNet service.
MITRE ATT&CK
Rule Metadata
Rule ID
3ab65069-d82a-4d44-a759-466661a082d1
Status
test
Level
high
Type
Detection
Created
Mon Jun 17
Path
rules/windows/network_connection/net_connection_win_domain_localtonet_tunnel.yml
Raw Tags
attack.command-and-controlattack.t1572attack.t1090attack.t1102