An adversary is establishing an unauthorized proxy server to exfiltrate data or pivot within the network, leveraging the proxy as a remote access tunnel. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control channels and mitigate lateral movement risks.
YARA Rule
rule Unauthorized_Proxy_Server_RAT
{
meta:
Author="US-CERT Code Analysis Team"
Incident="10135536"
MD5_1 = "C74E289AD927E81D2A1A56BC73E394AB"
MD5_2 = "2950E3741D7AF69E0CA0C5013ABC4209"
Info="Detects Proxy Server RAT"
super_rule = 1
report = "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF"
report = "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity"
strings:
$s0 = {8A043132C288043125FF00000003C299F73D40404900A14440490003D0413BCF72DE5E5FC3}
$s1 = {8A04318844241432C28804318B44241425FF00000003C299F73D40404900A14440490003D0413BCF72D65E5FC3}
$s2 = {8A04318844241432C28804318B44241425FF00000003C299F73D5C394100A16039410003D0413BCF72D65E5FC3}
$s3 = {8A043132C288043125FF00000003C299F73D5C394100A16039410003D0413BCF72DE5E5FC3}
$s4 = {B91A7900008A140780F29A8810404975F4}
$s5 = {399FE192769F839DCE9F2A9D2C9EAD9CEB9FD19CA59F7E9F539CEF9F029F969C6C9E5C9D949FC99F}
$s6 = {8A04318844241432C28804318B44241425FF00000003C299F73D40600910A14460091003D0413BCF72D65E5FC3}
$s7 = {3C5C75208A41014184C074183C72740C3C7474083C6274043C2275088A41014184C075DC}
$s8 = {8B063D9534120077353D59341200722E668B4604663DE8037F24}
$s9 = {8BC88B74241CC1E1052BC88B7C2418C1E1048B5C241403C88D04888B4C242083F9018944240C7523}
$s10 = {8B063D9034120077353D59341200722E668B4604663DE8037F246685C0}
$s11 = {30110FB60148FFC102C20FBEC09941F7F94103D249FFC875E7}
$s12 = {448BE8B84FECC44E41F7EDC1FA038BCAC1E91F03D16BD21A442BEA4183C541}
$s13 = {8A0A80F9627C2380F9797F1E80F9647C0A80F96D7F0580C10BEB0D80F96F7C0A80F9787F05}
condition:
any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 14 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as a scheduled backup or patching job, may use a proxy server for network traffic.
Filter/Exclusion: Exclude traffic originating from known system service accounts (e.g., NT SERVICE\TrustedInstaller, NT AUTHORITY\System) or tasks with known scheduled job IDs.
Scenario: Admin Access via Proxy for Secure Tunneling
Description: IT administrators may use a proxy server to securely tunnel traffic (e.g., using OpenVPN or WireGuard) for remote management or secure access to internal resources.
Filter/Exclusion: Exclude traffic from admin user accounts (e.g., Administrator, Domain Admins) or traffic associated with known secure tunneling tools.
Scenario: Proxy Server Configuration via Group Policy
Description: An enterprise may configure a proxy server via Group Policy for all users, which could trigger the rule if the proxy is associated with malicious behavior.
Filter/Exclusion: Exclude traffic from known proxy server IP ranges or traffic that matches the enterprise’s configured proxy settings.
Scenario: Software Update Distribution via Proxy
Description: A legitimate software update distribution process (e.g., using Microsoft Endpoint Configuration Manager) may route traffic through a proxy server.
Filter/Exclusion: Exclude traffic from known update servers (e.g., update.microsoft.com, wsus) or traffic associated with update distribution tasks.
Scenario: Network Monitoring Tool Using Proxy
Description: A network monitoring tool (e.g., Wireshark, tcpdump) may use a proxy to capture and analyze network traffic, which could be flagged as suspicious.
Filter/Exclusion: Exclude traffic from known monitoring tools or from processes associated with network analysis tools.