NK SSL PROXY

Hunt Hypothesis

The NK SSL PROXY rule detects potential adversary use of a custom SSL proxy to exfiltrate data or establish covert communication channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage network-based attacks that evade traditional detection methods.

YARA Rule

rule NK_SSL_PROXY{
meta:
	Author = "US-CERT Code Analysis Team"
	Date = "2018/01/09"
	MD5_1 = "C6F78AD187C365D117CACBEE140F6230"
	MD5_2 = "C01DC42F65ACAF1C917C0CC29BA63ADC"
	Info= "Detects NK SSL PROXY"
	report = "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-G.PDF"
	report = "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity"
strings:
	$s0 = {8B4C24088A140880F24780C228881408403BC67CEF5E}
	$s1 = {568B74240C33C085F67E158B4C24088A140880EA2880F247881408403BC67CEF5E}
	$s2 = {4775401F713435747975366867766869375E2524736466}
	$s3 = {67686667686A75797566676467667472}
	$s4 = {6D2A5E265E676866676534776572}
	$s5 = {3171617A5853444332337765}
	$s6 = "ghfghjuyufgdgftr"
	$s7 = "q45tyu6hgvhi7^%$sdf"
	$s8 = "m*^&^ghfge4wer"
condition:
	($s0 and $s1 and $s2 and $s3 and $s4 and $s5) or ($s6 and $s7 and $s8)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 9 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using Wireshark to manually inspect network traffic for troubleshooting purposes.
  Filter/Exclusion: process.name != "wireshark" or process.name != "tshark"

• Scenario: A scheduled backup job is running and temporarily uses a proxy tool like Squid to route traffic through a corporate proxy.
  Filter/Exclusion: process.name != "squid" or process.name != "backup_tool_name"

• Scenario: An IT admin is configuring a load balancer using a tool like HAProxy and the configuration includes SSL proxy settings.
  Filter/Exclusion: process.name != "haproxy" or process.name != "configure_load_balancer"

• Scenario: A developer is testing an application that uses ngrok for local development and tunneling.
  Filter/Exclusion: process.name != "ngrok" or process.name != "dev_tool_name"

• Scenario: A system update or patching task is running and uses a proxy tool like ProxyChains to route traffic through a secure network.
  Filter/Exclusion: process.name != "proxychains" or process.name != "patching_tool_name"