/
proc_creation_win_pua_frp.yml
36 lines (36 loc) · 1.23 KB
/
proc_creation_win_pua_frp.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
title: PUA - Fast Reverse Proxy (FRP) Execution
id: 32410e29-5f94-4568-b6a3-d91a8adad863
status: test
description: Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.
references:
- https://asec.ahnlab.com/en/38156/
- https://github.com/fatedier/frp
author: frack113, Florian Roth
date: 2022/09/02
modified: 2023/02/04
tags:
- attack.command_and_control
- attack.t1090
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\frpc.exe'
- '\frps.exe'
selection_cli:
CommandLine|contains: '\frpc.ini'
selection_hashes:
# v0.44.0
- Hashes|contains:
- "MD5=7D9C233B8C9E3F0EA290D2B84593C842"
- "SHA1=06DDC9280E1F1810677935A2477012960905942F"
- "SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C"
- md5: '7d9c233b8c9e3f0ea290d2b84593c842'
- sha1: '06ddc9280e1f1810677935a2477012960905942f'
- sha256: '57b0936b8d336d8e981c169466a15a5fd21a7d5a2c7daf62d5e142ee860e387c'
condition: 1 of selection_*
falsepositives:
- Legitimate use
level: high