An adversary is using a Linux-based tunneling service to establish covert network communication, potentially exfiltrating data or establishing a command and control channel. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage persistent threats leveraging tunneling techniques.
Detection Rule
title: Communication To LocaltoNet Tunneling Service Initiated - Linux
id: c4568f5d-131f-4e78-83d4-45b2da0ec4f1
status: test
description: |
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains.
LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.
Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
references:
- https://localtonet.com/documents/supported-tunnels
- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications
author: Andreas Braathen (mnemonic.io)
date: 2024-06-17
tags:
- attack.command-and-control
- attack.t1572
- attack.t1090
- attack.t1102
logsource:
category: network_connection
product: linux
detection:
selection:
DestinationHostname|endswith:
- '.localto.net'
- '.localtonet.com'
Initiated: 'true'
condition: selection
falsepositives:
- Legitimate use of the LocaltoNet service.
level: high
imNetworkSession
| where (DstHostname endswith ".localto.net" or DstHostname endswith ".localtonet.com") and NetworkDirection =~ "true"Scenario: System update via package manager using apt or yum
Description: A legitimate system update process may initiate connections to internal repositories or mirrors.
Filter/Exclusion: Exclude connections to known internal package repositories (e.g., http://internal-repo.example.com, https://repo.example.com).
Scenario: Scheduled backup job using rsync or tar
Description: A scheduled backup task may transfer data over the network to a backup server.
Filter/Exclusion: Exclude connections to known backup servers (e.g., backup.example.com, 10.10.10.10).
Scenario: Admin task using ssh to connect to a remote server
Description: An administrator may use SSH to connect to a remote server for maintenance or troubleshooting.
Filter/Exclusion: Exclude connections to known admin servers (e.g., admin.example.com, 10.10.10.20).
Scenario: Log aggregation using rsyslog or syslog-ng
Description: Log aggregation services may send logs to a central logging server.
Filter/Exclusion: Exclude connections to known log servers (e.g., logserver.example.com, 10.10.10.30).
Scenario: Docker container communication with internal services
Description: Docker containers may communicate with internal services or other containers within the same network.
Filter/Exclusion: Exclude connections to known Docker internal services (e.g., docker.internal.example.com, 172.17.0.1).