From 65f92dcd473e4b43bbc3b94d0823c15af2bcdd7d Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Tue, 27 Dec 2022 11:58:44 +0100
Subject: [PATCH] rule: HTran / NATBypass usage

---
 .../proc_creation_win_hack_htran.yml          | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 rules/windows/process_creation/proc_creation_win_hack_htran.yml

diff --git a/rules/windows/process_creation/proc_creation_win_hack_htran.yml b/rules/windows/process_creation/proc_creation_win_hack_htran.yml
new file mode 100644
index 000000000..5383dec3b
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_hack_htran.yml
@@ -0,0 +1,29 @@
+title: Htran or NATBypass Markers
+id: f5e3b62f-e577-4e59-931e-0a15b2b94e1e
+status: experimental
+description: Detects exeuctable names or flags used by Htran or Htran-like tools (e.g. NATBypass)
+references:
+    - https://github.com/HiwinCN/HTran
+    - https://github.com/cw1997/NATBypass
+author: Florian Roth
+date: 2022/12/27
+tags:
+    - attack.command_and_control
+    - attack.t1090
+    - attack.s0040
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_name:
+        Image|endswith:
+            - '\htran.exe'
+            - '\lcx.exe'
+    selection_flags1:
+        CommandLine|contains:
+            - '.exe -tran '
+            - '.exe -slave '
+    condition: 1 of selection*
+falsepositives:
+    - Unknown
+level: high