Florian Roth
37 lines
1.1 KiB
YAML
37 lines
1.1 KiB
YAML
title: IOX Tunneling Tool
|
|
id: d7654f02-e04b-4934-9838-65c46f187ebc
|
|
status: experimental
|
|
description: Detects the use of IOX - a tool for port forwarding and intranet proxy purposes
|
|
references:
|
|
- https://github.com/EddieIvan01/iox
|
|
author: Florian Roth
|
|
date: 2022/10/08
|
|
tags:
|
|
- attack.command_and_control
|
|
- attack.t1090
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
Image|endswith: '\iox.exe'
|
|
selection_commandline:
|
|
CommandLine|contains:
|
|
- '.exe fwd -l '
|
|
- '.exe fwd -r '
|
|
- '.exe proxy -l '
|
|
- '.exe proxy -r '
|
|
selection_hashes:
|
|
# v0.4
|
|
- Hashes|contains:
|
|
- "MD5=9DB2D314DD3F704A02051EF5EA210993"
|
|
- "SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD"
|
|
- "SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731"
|
|
- md5: '9db2d314dd3f704a02051ef5ea210993'
|
|
- sha1: '039130337e28a6623ecf9a0a3da7d92c5964d8dd'
|
|
- sha256: 'c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731'
|
|
condition: 1 of selection*
|
|
falsepositives:
|
|
- Legitimate use
|
|
level: high
|