Detectionhightest
Communication To LocaltoNet Tunneling Service Initiated - Linux
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
LinuxNetwork Connection
ProductLinux← raw: linux
CategoryNetwork Connection← raw: network_connection
Events for outbound and inbound network connections including DNS resolution.
Detection Logic
Detection Logic1 selector
detection:
selection:
DestinationHostname|endswith:
- '.localto.net'
- '.localtonet.com'
Initiated: 'true'
condition: selectionFalse Positives
Legitimate use of the LocaltoNet service.
MITRE ATT&CK
Rule Metadata
Rule ID
c4568f5d-131f-4e78-83d4-45b2da0ec4f1
Status
test
Level
high
Type
Detection
Created
Mon Jun 17
Path
rules/linux/network_connection/net_connection_lnx_domain_localtonet_tunnel.yml
Raw Tags
attack.command-and-controlattack.t1572attack.t1090attack.t1102