Anomalous process (e.g., rundll32, svchost, cmd) initiates connections to internal peer hosts not seen in typical communication baselines, used to proxy or forward traffic internally, often using SMB, RPC, or high ports.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Network Traffic Flow (DC0078) | Windows Firewall Log | SMB over high port |
| Field | Description |
|---|---|
| InternalConnectionPattern | Tune based on known host-to-host communications that are rare (e.g., workstation-to-workstation). |
| DestinationPort | Focus on unusual internal traffic on ports like 1080, 8080, 4444, or SMB over non-standard ports. |
| TimeWindow | Correlate unusual traffic bursts with new process execution. |
socat, ssh, iptables, or ncat invoked from user space or cron jobs to create port forwarding, reverse shells, or inter-host tunnels between compromised Linux systems. Behavior is typically paired with socket activity and high entropy traffic.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Network Traffic Flow (DC0078) | NSM:Connections | Internal connection logging |
| Network Traffic Content (DC0085) | NSM:Flow | conn.log |
| Field | Description |
|---|---|
| UserContext | Alert on unexpected users executing inter-host relay tools (e.g., `www-data`, `backup`). |
| PortRange | Adjust to watch for commonly misused internal TCP/UDP ports. |
| ProcessPattern | Shell pipelines or wrapped invocations like `bash -c 'socat ...'` |
Execution of AppleScript or Automator services launching ssh -L, socat, or launchctl items that dynamically reroute traffic from one Mac endpoint to another. LaunchAgents used to establish permanent internal tunnels.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | None |
| Network Traffic Flow (DC0078) | NSM:Flow | pf firewall logs |
| Service Creation (DC0060) | macos:osquery | Process Events and Launch Daemons |
| Field | Description |
|---|---|
| LaunchAgentPath | Directory where proxying LaunchDaemons may be dropped, e.g., `/Library/LaunchDaemons/`. |
| PortBindings | Dynamic port forwards often use ephemeral or non-standard service ports. |
| AppleScriptUsage | May trigger on less common scripting interfaces for traffic redirection. |
ESXi shell execution of tools/scripts (nc, socat, perl) relaying network traffic to other internal hosts, especially when initiated by unauthorized users or VMs.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | esxi:shell | /var/log/shell.log |
| Network Traffic Flow (DC0078) | esxi:vmkernel | /var/log/vmkernel.log |
| Network Connection Creation (DC0082) | NSM:Flow | conn.log |
| Field | Description |
|---|---|
| CLICommandPattern | Watch for chained shell commands building local-to-local connections. |
| VMInitiator | Correlate to which VM initiated the traffic tunnel; unexpected VM behavior may be suspicious. |
| ConnectionDirectionality | Unusual east-west communication patterns among VMs. |
Configuration of internal NAT or proxy rules that redirect traffic between client segments internally (e.g., site-to-site port forwarding). Often used to relay internal beaconing or move traffic laterally through trust zones.
| Data Component | Name | Channel |
|---|---|---|
| Firewall Rule Modification (DC0051) | Firewall Audit Logs | Config Change |
| Network Traffic Flow (DC0078) | NSM:Flow | Inter-segment traffic |
| Command Execution (DC0064) | networkdevice:cli | Policy Update |
| Field | Description |
|---|---|
| ProxyTarget | Internal subnets or endpoint roles allowed for port forwarding. |
| ConfigChangeUser | Detect changes made outside scheduled or authorized windows. |
| FlowThreshold | Volume of data relayed through proxy exceeds historical norms. |