Htran

- Table of Contents

Tool Overview
Tool Operation Overview
Information Acquired from Log
Evidence That Can Be Confirmed When Execution is Successful
Main Information Recorded at Execution
Details: Source Host
Details: Destination Host
Remarks

Open all sections | Close all sections

- Tool Overview

Category: Malicious Communication Relay
Description: Bypasses communications.
Example of Presumed Tool Use During an Attack: This tool is used to pass communication from unauthorized ports via ports whitelisted in firewalls.

- Tool Operation Overview

Item	Source Host	Destination Host
OS	Windows
Belonging to Domain	Not required
Rights	Standard user
Communication Protocol	Any TCP port

- Information Acquired from Log

Standard Settings

Source host
- Execution history (Prefetch)
Destination Host
- Depends on the application executed via a tunnel

Additional Settings

Source host
- Execution history (audit policy, Sysmon)
Destination Host
- Presence or absence of communications with the tunnel host (attacker) and tunnel destination host (destination host) (audit policy)
- Depends on the application executed via a tunnel

- Evidence That Can Be Confirmed When Execution is Successful

A communication occurred with the tunnel host and tunnel destination host is recorded with Event ID: 5156 in the event log "Security".

- Main Information Recorded at Execution

- Source Host

Event log

#	Log	Event ID	Task Category	Event Details
1	Microsoft-Windows-Sysmon/Operational	1	Process Create (rule: ProcessCreate)	Process Create. CommandLine: Command line of the execution command ([Executable File Name of Tool] -tran [Tunnel Source Port] [Destination Host IP Address] [Tunnel Destination Port]) UtcTime: Process execution date and time (UTC) ProcessGuid/ProcessId: Process ID Image: Path to the executable file (path to the tool) User: Execute as user
2	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) DestinationIp: Destination IP address (attacker's IP address) Image: Path to the executable file (path to the tool) DestinationHostname: Destination host name (attacker's host name) ProcessGuid/ProcessId: Process ID User: Execute as user DestinationPort: Destination port number (high port) SourcePort: Source port number (tunnel source port) SourceHostname: Source host name (source host name) SourceIp: Source IP address (source host IP address)

- Destination Host

Event log

#	Log	Event ID	Task Category	Event Details
1	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Subsequent operations depend on the tool that is executed via the tunnel. Protocol: Protocol (tcp) DestinationIp: Destination IP address (source host IP address) Image: Path to the executable file (C:\Windows\System32\svchost.exe) DestinationHostname: Destination host name (source host name) ProcessGuid/ProcessId: Process ID User: Execute as user (NT AUTHORITY\NETWORK SERVICE) DestinationPort: Destination port number (high port) SourcePort: Source port number (tunnel destination port) SourceHostname: Source host name (destination host name) SourceIp: Source IP address (destination host IP address)

- Details: Source Host

- Event Log

#	Event Log	Event ID	Task Category	Event Details
1	Microsoft-Windows-Sysmon/Operational	1	Process Create (rule: ProcessCreate)	Process Create. LogonGuid/LogonId: ID of the logon session ParentProcessGuid/ParentProcessId: Process ID of the parent process ParentImage: Executable file of the parent process CurrentDirectory: Work directory (path to the tool) CommandLine: Command line of the execution command ([Executable File Name of Tool] -tran [Tunnel Source Port] [Destination Host IP Address] [Tunnel Destination Port]) IntegrityLevel: Privilege level (High) ParentCommandLine: Command line of the parent process UtcTime: Process execution date and time (UTC) ProcessGuid/ProcessId: Process ID User: Execute as user Hashes: Hash value of the executable file Image: Path to the executable file (path to the tool)
1	Security	4688	Process Create	A new process has been created. Process Information > Required Label: Necessity of privilege escalation (Mandatory Label\High Mandatory Level) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Process Information > Source Process Name: Path to parent process that created the new process Log Date and Time: Process execution date and time (local time) Process Information > New Process Name: Path to the executable file (path to the tool) Process Information > Token Escalation Type: Presence of privilege escalation (2) Process Information > New Process ID: Process ID (hexadecimal) Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7 Subject > Logon ID: Session ID of the user who executed the process
2	Microsoft-Windows-Sysmon/Operational	11	File created (rule: FileCreate)	File created. Image: Path to the executable file (C:\Windows\System32\svchost.exe) ProcessGuid/ProcessId: Process ID TargetFilename: Created file (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf) CreationUtcTime: File creation date and time (UTC)
	Security	4656	File System/Other Object Access Events	A handle to an object was requested. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData) Object > Object Name: Target file name (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf) Subject > Account Name: Name of the account that executed the tool Subject > Account Domain: Domain to which the account belongs Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe) Subject > Security ID: SID of the user who executed the tool (SYSTEM) Object > Object Type: Type of the file (File) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle
	Security	4663	File System	An attempt was made to access an object. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privilege Audit Success: Success or failure (access successful) Object > Object Name: Target file name (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf) Access Request Information > Access: Requested privileges (including WriteData or AddFile, and AppendData) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe) Object > Object Type: Category of the target (File) Subject > Logon ID: Session ID of the user who executed the process (SYSTEM) Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
	Security	4658	File System	The handle to an object was closed. Process Information > Process ID: Process ID (hexadecimal) Subject > Account Name: Name of the account that executed the tool Subject > Account Domain: Domain to which the account belongs Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe) Subject > Security ID: SID of the user who executed the tool (SYSTEM) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
3	Microsoft-Windows-Sysmon/Operational	12	Registry object added or deleted (rule: RegistryEvent)	Registry object added or deleted. EventType: Process type (CreateKey) Image: Path to the executable file (path to the tool) ProcessGuid/ProcessId: Process ID TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters)
4	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) DestinationIp: Destination IP address (attacker's IP address) Image: Path to the executable file (path to the tool) DestinationHostname: Destination host name (attacker's host name) ProcessGuid/ProcessId: Process ID User: Execute as user DestinationPort: Destination port number (high port) SourcePort: Source port number (tunnel source port) SourceHostname: Source host name (source host name) SourceIp: Source IP address (source host IP address)
4	Security	5156	Filtering Platform Connection	The Windows Filtering Platform has allowed a connection. Network Information > Destination Port: Destination port number (tunnel source port) Network Information > Destination Address: Destination IP address Network Information > Source Address/Source Port: Source IP address/Port number Network Information > Protocol: Protocol used (6=TCP) Application Information > Application Name: Execution process (path to the tool) Network Information > Direction: Communication direction (outbound)
5	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) DestinationIp: Destination IP address (destination host IP address) Image: Path to the executable file (path to the tool) DestinationHostname: Destination host name (destination host name) ProcessGuid/ProcessId: Process ID User: Execute as user DestinationPort: Destination Port Number (tunnel destination port) SourcePort: Source port number (high port) SourceHostname: Source host name (source host name) SourceIp: Source IP address (source host IP address)
5	Security	5156	Filtering Platform Connection	The Windows Filtering Platform has allowed a connection. Network Information > Destination Port: Destination Port Number (tunnel destination port) Network Information > Destination Address: Destination IP address Network Information > Source Address/Source Port: Source IP address/Port number Network Information > Protocol: Protocol used (6=TCP) Application Information > Application Name: Execution process (path to the tool) Network Information > Direction: Communication direction (outbound)
6	Microsoft-Windows-Sysmon/Operational	5	Process terminated (rule: ProcessTerminate)	Process terminated. UtcTime: Process terminated date and time (UTC) ProcessGuid/ProcessId: Process ID Image: Path to the executable file (path to the tool)
6	Security	4689	Process Termination	A process has exited. Process Information > Process ID: Process ID (hexadecimal) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Process Information > Exit Status: Process return value (0x0) Log Date and Time: Process terminated date and time (local time) Process Information > Process Name: Path to the executable file (path to the tool) Subject > Logon ID: Session ID of the user who executed the process

- USN Journal

#	File Name	Process	Attribute
1	[Executable File Name of Tool]-[RANDOM].pf	FILE_CREATE	archive+not_indexed
	[Executable File Name of Tool]-[RANDOM].pf	DATA_EXTEND+FILE_CREATE	archive+not_indexed
	[Executable File Name of Tool]-[RANDOM].pf	CLOSE+DATA_EXTEND+FILE_CREATE	archive+not_indexed

- MFT

#	Path	Header Flag	Validity
1	[Drive Name]:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf	FILE	ALLOCATED

- Prefetch

#	Prefetch File	Process Name	Process Path	Information That Can Be Confirmed
1	C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf			Last Run Time (last execution date and time)

- Details: Destination Host

- Event Log

#	Event Log	Event ID	Task Category	Event Details
1	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) DestinationIp: Destination IP address (source host IP address) Image: Path to the executable file (C:\Windows\System32\svchost.exe) DestinationHostname: Destination host name (source host name) ProcessGuid/ProcessId: Process ID User: Execute as user (NT AUTHORITY\NETWORK SERVICE) DestinationPort: Destination port number (high port) SourcePort: Source port number (tunnel destination port) SourceHostname: Source host name (destination host name) SourceIp: Source IP address (destination host IP address)
1	Security	5156	Filtering Platform Connection	The Windows Filtering Platform has allowed a connection. Network Information > Destination Port: Destination port number (high port) Network Information > Source Port: Source port number (tunnel destination port) Network Information > Destination Address: Destination IP address (source host) Network Information > Protocol: Protocol used (6=TCP) Application Information > Application Name: Execution process Network Information > Direction: Communication direction Network Information > Source Address: Source IP address (destination host) Application Information > Process ID: Process ID
2	Security	4776	Credential Validation	The Domain Controller attempted to validate the credentials for an account. Authentication Package: Package used for authentication (MICROSOFT_AUTHENTICATION_PACKAGE_V1_0) Logon Account: Account used Source Workstation: Host that requested account validation (attacker's host name) Error Code: Execution result (0x0)
3	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) DestinationIp: Destination IP address (source host IP address) Image: Path to the executable file (C:\Windows\System32\svchost.exe) DestinationHostname: Destination host name (source host name) ProcessGuid/ProcessId: Process ID User: Execute as user (NT AUTHORITY\NETWORK SERVICE) DestinationPort: Destination port number (high port) SourcePort: Source port number (tunnel destination port) SourceHostname: Source host name (destination host name) SourceIp: Source IP address (destination host IP address)
3	Security	5156	Filtering Platform Connection	The Windows Filtering Platform has allowed a connection. Network Information > Destination Port: Destination port number (high port) Network Information > Source Port: Source port number (tunnel destination port) Network Information > Destination Address: Destination IP address (source host) Network Information > Protocol: Protocol used (6=TCP) Application Information > Application Name: Execution process Network Information > Direction: Communication direction Network Information > Source Address: Source IP address (destination host) Application Information > Process ID: Process ID
4	Security	4648	Logon	A logon was attempted using explicit credentials. Process Information > Process ID: Process ID that attempted the logon Network Information > Port: Source port (high port) Account for which Credentials were Used > Account Name: Specified account name Subject > Logon ID/Logon GUID: Session ID of the user who executed the authentication Subject > Account Domain: Domain to which the account belongs Target Server > Target Server Name: Logon destination host name (localhost) Process Information > Process Name: Process name that attempted the logon (C:\Windows\System32\winlogon.exe) Subject > Account Name: Name of the account that executed the tool Subject > Security ID: SID of the user who executed the tool Target Server > Additional Information: Additional information on the logon destination host (localhost) Account for which Credentials were Used > Account Domain: Domain to which the specified account belongs Network Information > Network Address: Logon source host (source host)
	Security	4624	Logon	An account was successfully logged on. Process Information > Process ID: Process ID (hexadecimal) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on Network Information > Source Port: Source port number (high port) New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on Logon Type: Logon path, method, etc. Network Information > Workstation Name: Name of the host that requested the logon (destination host) Process Information > Process Name: Path to the executable file Network Information > Source Network Address: IP address that requested the logon (source host) Subject > Logon ID: Session ID of the user who executed the authentication
	Security	4672	Special Logon	Privileges assigned to a new logon. Privileges: Assigned privileges (SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Subject > Logon ID: Session ID of the user who executed the process
5	Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational	1149	TerminalServices-RemoteConnectionManager	Remote Desktop Services: User authentication was successful. Domain: Domain of the user (destination host name) User: User who was using the session Source Network Address: Source host address of the session (source host)
	Microsoft-Windows-TerminalServices-LocalSessionManager/Operational	24	TerminalServices-LocalSessionManager	Remote Desktop Services: Session has been disconnected. User: User who was using the session Source Network Address: Source host address of the session (local) Session ID: ID of the session (number)
	Microsoft-Windows-TerminalServices-LocalSessionManager/Operational	25	TerminalServices-LocalSessionManager	Remote Desktop Services: Session reconnection successful. User: User who was using the session Source Network Address: Source host address of the session (source host) Session ID: ID of the session (number)
	Microsoft-Windows-TerminalServices-LocalSessionManager/Operational	24	TerminalServices-LocalSessionManager	Remote Desktop Services: Session has been disconnected. User: User who was using the session Source Network Address: Source host address of the session (source host) Session ID: ID of the session (number)
	Microsoft-Windows-TerminalServices-LocalSessionManager/Operational	25	TerminalServices-LocalSessionManager	Remote Desktop Services: Session reconnection successful. User: User who was using the session Source Network Address: Source host address of the session (local) Session ID: ID of the session (number)

- Remarks

In this report, the host used for tunneling and the tunnel destination host are referred to as "the source host" and "the destination host", respectively. In addition, an attacker who uses tunnels is referred to as "the attacker".
Although there is a version of this tool that supports web proxies, the version used for this report does not support web proxies.
Although it is possible to confirm with a packet capture that a communication with the port number used for tunneling has occurred, it is not possible to determine whether the communication was a HTran communication with a packet capture only.