Allows for TCP tunneling over HTTP

Hunt Hypothesis

An adversary may use TCP tunneling over HTTP to exfiltrate data or establish covert command and control channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or C2 activities that evade traditional network detection methods.

YARA Rule

rule hacktool_multi_ncc_ABPTTS
{
    meta:
        description = "Allows for TCP tunneling over HTTP"
        reference = "https://github.com/nccgroup/ABPTTS"
        author = "@mimeframe"
        id = "c1efad63-0b43-5314-8cbb-08b8b04a3365"
    strings:
        $s1 = "---===[[[ A Black Path Toward The Sun ]]]===---" ascii wide
        $s2 = "https://vulnerableserver/EStatus/" ascii wide
        $s3 = "Error: no ABPTTS forwarding URL was specified. This utility will now exit." ascii wide
        // access key
        $s4 = "tQgGur6TFdW9YMbiyuaj9g6yBJb2tCbcgrEq" fullword ascii wide
        // encryption key
        $s5 = "63688c4f211155c76f2948ba21ebaf83" fullword ascii wide
        // log file
        $s6 = "ABPTTSClient-log.txt" fullword ascii wide
    condition:
        any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 6 string patterns in its detection logic.

References

• https://github.com/nccgroup/ABPTTS
• Source Rule

False Positive Guidance

• Scenario: Legitimate HTTP Proxy Usage
  Description: Employees use a corporate-approved HTTP proxy (e.g., Squid, NGINX) to access external resources.
  Filter/Exclusion: Exclude traffic originating from known proxy servers or IP ranges used by the organization’s proxy infrastructure.

• Scenario: Scheduled System Updates via HTTP
  Description: A scheduled job (e.g., yum update, apt-get upgrade) uses HTTP to download updates from a trusted repository.
  Filter/Exclusion: Exclude traffic to known package repositories (e.g., repo.packagename.com, mirror.centos.org) or based on process names like yum, apt.

• Scenario: Admin Task Using curl or wget
  Description: An administrator uses curl or wget to manually test or download files from internal HTTP endpoints.
  Filter/Exclusion: Exclude traffic from admin user accounts or processes with known administrative tools (e.g., curl, wget, scp).

• Scenario: Internal HTTP Tunneling for Secure Communication
  Description: A service uses HTTP tunneling (e.g., stunnel, socat) to securely communicate over an internal HTTP proxy.
  Filter/Exclusion: Exclude traffic from known tunneling tools or internal services (e.g., stunnel, socat, internal-proxy.example.com).

• Scenario: Web Application Using HTTP for Backend Communication
  Description: A web app (e.g., WordPress, Drupal) communicates with an internal HTTP API or service (e.g., api.example.com).
  Filter/Exclusion: Exclude traffic to internal domain names or IP addresses used by internal services (e.g., api.example.com, 10.0.0.10).