frack113
37 lines
1.2 KiB
YAML
37 lines
1.2 KiB
YAML
title: Fast Reverse Proxy (FRP)
|
|
id: 32410e29-5f94-4568-b6a3-d91a8adad863
|
|
status: experimental
|
|
description: Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.
|
|
references:
|
|
- https://asec.ahnlab.com/en/38156/
|
|
- https://github.com/fatedier/frp
|
|
author: frack113, Florian Roth
|
|
date: 2022/09/02
|
|
modified: 2022/10/08
|
|
tags:
|
|
- attack.command_and_control
|
|
- attack.t1090
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
Image|endswith:
|
|
- '\frpc.exe'
|
|
- '\frps.exe'
|
|
selection_commandline:
|
|
CommandLine|contains: '\frpc.ini'
|
|
selection_hashes:
|
|
# v0.44.0
|
|
- Hashes|contains:
|
|
- "MD5=7D9C233B8C9E3F0EA290D2B84593C842"
|
|
- "SHA1=06DDC9280E1F1810677935A2477012960905942F"
|
|
- "SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C"
|
|
- md5: '7d9c233b8c9e3f0ea290d2b84593c842'
|
|
- sha1: '06ddc9280e1f1810677935a2477012960905942f'
|
|
- sha256: '57b0936b8d336d8e981c169466a15a5fd21a7d5a2c7daf62d5e142ee860e387c'
|
|
condition: 1 of selection*
|
|
falsepositives:
|
|
- Legitimate use
|
|
level: high
|