Htran

- Table of Contents

Open all sections | Close all sections


- Tool Overview

Category
Malicious Communication Relay
Description
Bypasses communications.
Example of Presumed Tool Use During an Attack
This tool is used to pass communication from unauthorized ports via ports whitelisted in firewalls.

- Tool Operation Overview

Item Source Host Destination Host
OS Windows
Belonging to Domain Not required
Rights Standard user
Communication Protocol Any TCP port

- Information Acquired from Log

Standard Settings
  • Source host
    • Execution history (Prefetch)
  • Destination Host
    • Depends on the application executed via a tunnel
Additional Settings
  • Source host
    • Execution history (audit policy, Sysmon)
  • Destination Host
    • Presence or absence of communications with the tunnel host (attacker) and tunnel destination host (destination host) (audit policy)
    • Depends on the application executed via a tunnel

- Evidence That Can Be Confirmed When Execution is Successful

- Main Information Recorded at Execution

- Source Host

Event log

# Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • CommandLine: Command line of the execution command ([Executable File Name of Tool] -tran [Tunnel Source Port] [Destination Host IP Address] [Tunnel Destination Port])
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (path to the tool)
  • User: Execute as user
2 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (attacker's IP address)
  • Image: Path to the executable file (path to the tool)
  • DestinationHostname: Destination host name (attacker's host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (tunnel source port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)

- Destination Host

Event log

# Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected. Subsequent operations depend on the tool that is executed via the tunnel.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (C:\Windows\System32\svchost.exe)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\NETWORK SERVICE)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (tunnel destination port)
  • SourceHostname: Source host name (destination host name)
  • SourceIp: Source IP address (destination host IP address)

- Details: Source Host

- Event Log

# Event Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process
  • CurrentDirectory: Work directory (path to the tool)
  • CommandLine: Command line of the execution command ([Executable File Name of Tool] -tran [Tunnel Source Port] [Destination Host IP Address] [Tunnel Destination Port])
  • IntegrityLevel: Privilege level (High)
  • ParentCommandLine: Command line of the parent process
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (path to the tool)
Security 4688 Process Create A new process has been created.
  • Process Information > Required Label: Necessity of privilege escalation (Mandatory Label\High Mandatory Level)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Source Process Name: Path to parent process that created the new process
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (path to the tool)
  • Process Information > Token Escalation Type: Presence of privilege escalation (2)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
2 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Windows\System32\svchost.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf)
  • CreationUtcTime: File creation date and time (UTC)
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
  • Object > Object Name: Target file name (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf)
  • Subject > Account Name: Name of the account that executed the tool
  • Subject > Account Domain: Domain to which the account belongs
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privilege
  • Audit Success: Success or failure (access successful)
  • Object > Object Name: Target file name (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf)
  • Access Request Information > Access: Requested privileges (including WriteData or AddFile, and AppendData)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process (SYSTEM)
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Account Name: Name of the account that executed the tool
  • Subject > Account Domain: Domain to which the account belongs
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
3 Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (path to the tool)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters)
4 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (attacker's IP address)
  • Image: Path to the executable file (path to the tool)
  • DestinationHostname: Destination host name (attacker's host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (tunnel source port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (tunnel source port)
  • Network Information > Destination Address: Destination IP address
  • Network Information > Source Address/Source Port: Source IP address/Port number
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (path to the tool)
  • Network Information > Direction: Communication direction (outbound)
5 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (destination host IP address)
  • Image: Path to the executable file (path to the tool)
  • DestinationHostname: Destination host name (destination host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • DestinationPort: Destination Port Number (tunnel destination port)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination Port Number (tunnel destination port)
  • Network Information > Destination Address: Destination IP address
  • Network Information > Source Address/Source Port: Source IP address/Port number
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (path to the tool)
  • Network Information > Direction: Communication direction (outbound)
6 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (path to the tool)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Exit Status: Process return value (0x0)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (path to the tool)
  • Subject > Logon ID: Session ID of the user who executed the process

- USN Journal

# File Name Process Attribute
1 [Executable File Name of Tool]-[RANDOM].pf FILE_CREATE archive+not_indexed
[Executable File Name of Tool]-[RANDOM].pf DATA_EXTEND+FILE_CREATE archive+not_indexed
[Executable File Name of Tool]-[RANDOM].pf CLOSE+DATA_EXTEND+FILE_CREATE archive+not_indexed

- MFT

# Path Header Flag Validity
1 [Drive Name]:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf FILE ALLOCATED

- Prefetch

# Prefetch File Process Name Process Path Information That Can Be Confirmed
1 C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf Last Run Time (last execution date and time)

- Details: Destination Host

- Event Log

# Event Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (C:\Windows\System32\svchost.exe)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\NETWORK SERVICE)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (tunnel destination port)
  • SourceHostname: Source host name (destination host name)
  • SourceIp: Source IP address (destination host IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (tunnel destination port)
  • Network Information > Destination Address: Destination IP address (source host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process
  • Network Information > Direction: Communication direction
  • Network Information > Source Address: Source IP address (destination host)
  • Application Information > Process ID: Process ID
2 Security 4776 Credential Validation The Domain Controller attempted to validate the credentials for an account.
  • Authentication Package: Package used for authentication (MICROSOFT_AUTHENTICATION_PACKAGE_V1_0)
  • Logon Account: Account used
  • Source Workstation: Host that requested account validation (attacker's host name)
  • Error Code: Execution result (0x0)
3 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (C:\Windows\System32\svchost.exe)
  • DestinationHostname: Destination host name (source host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\NETWORK SERVICE)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (tunnel destination port)
  • SourceHostname: Source host name (destination host name)
  • SourceIp: Source IP address (destination host IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (tunnel destination port)
  • Network Information > Destination Address: Destination IP address (source host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process
  • Network Information > Direction: Communication direction
  • Network Information > Source Address: Source IP address (destination host)
  • Application Information > Process ID: Process ID
4 Security 4648 Logon A logon was attempted using explicit credentials.
  • Process Information > Process ID: Process ID that attempted the logon
  • Network Information > Port: Source port (high port)
  • Account for which Credentials were Used > Account Name: Specified account name
  • Subject > Logon ID/Logon GUID: Session ID of the user who executed the authentication
  • Subject > Account Domain: Domain to which the account belongs
  • Target Server > Target Server Name: Logon destination host name (localhost)
  • Process Information > Process Name: Process name that attempted the logon (C:\Windows\System32\winlogon.exe)
  • Subject > Account Name: Name of the account that executed the tool
  • Subject > Security ID: SID of the user who executed the tool
  • Target Server > Additional Information: Additional information on the logon destination host (localhost)
  • Account for which Credentials were Used > Account Domain: Domain to which the specified account belongs
  • Network Information > Network Address: Logon source host (source host)
Security 4624 Logon An account was successfully logged on.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on
  • Network Information > Source Port: Source port number (high port)
  • New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on
  • Logon Type: Logon path, method, etc.
  • Network Information > Workstation Name: Name of the host that requested the logon (destination host)
  • Process Information > Process Name: Path to the executable file
  • Network Information > Source Network Address: IP address that requested the logon (source host)
  • Subject > Logon ID: Session ID of the user who executed the authentication
Security 4672 Special Logon Privileges assigned to a new logon.
  • Privileges: Assigned privileges (SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
5 Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational 1149 TerminalServices-RemoteConnectionManager Remote Desktop Services: User authentication was successful.
  • Domain: Domain of the user (destination host name)
  • User: User who was using the session
  • Source Network Address: Source host address of the session (source host)
Microsoft-Windows-TerminalServices-LocalSessionManager/Operational 24 TerminalServices-LocalSessionManager Remote Desktop Services: Session has been disconnected.
  • User: User who was using the session
  • Source Network Address: Source host address of the session (local)
  • Session ID: ID of the session (number)
Microsoft-Windows-TerminalServices-LocalSessionManager/Operational 25 TerminalServices-LocalSessionManager Remote Desktop Services: Session reconnection successful.
  • User: User who was using the session
  • Source Network Address: Source host address of the session (source host)
  • Session ID: ID of the session (number)
Microsoft-Windows-TerminalServices-LocalSessionManager/Operational 24 TerminalServices-LocalSessionManager Remote Desktop Services: Session has been disconnected.
  • User: User who was using the session
  • Source Network Address: Source host address of the session (source host)
  • Session ID: ID of the session (number)
Microsoft-Windows-TerminalServices-LocalSessionManager/Operational 25 TerminalServices-LocalSessionManager Remote Desktop Services: Session reconnection successful.
  • User: User who was using the session
  • Source Network Address: Source host address of the session (local)
  • Session ID: ID of the session (number)

- Remarks