LoFP / legitimate use of the localtonet service.

Techniques

• t1090
• t1102
• t1572

Sample rules

Communication To LocaltoNet Tunneling Service Initiated

• source: sigma
• technicques:
  • t1090
  • t1102
  • t1572

Description

Detects an executable initiating a network connection to “LocaltoNet” tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.

Detection logic

condition: selection
selection:
  DestinationHostname|endswith:
  - .localto.net
  - .localtonet.com
  Initiated: 'true'

Communication To LocaltoNet Tunneling Service Initiated - Linux

• source: sigma
• technicques:
  • t1090
  • t1102
  • t1572

Description

Detects an executable initiating a network connection to “LocaltoNet” tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.

Detection logic

condition: selection
selection:
  DestinationHostname|endswith:
  - .localto.net
  - .localtonet.com
  Initiated: 'true'