Protocol Tunneling

let TunnelingTools = dynamic(["plink.exe", "plink", "chisel.exe", "chisel", "ligolo.exe", "ligolo", "iodine.exe", "iodine", "ptunnel.exe", "ptunnel", "dns2tcp", "dnscat", "dnscat2", "httptunnel", "htc", "hts", "socat"]);
let DoHProviders = dynamic(["cloudflare-dns.com", "dns.google", "doh.opendns.com", "dns.quad9.net", "mozilla.cloudflare-dns.com", "doh.dns.apple.com"]);
let BrowserProcesses = dynamic(["chrome.exe", "firefox.exe", "msedge.exe", "brave.exe", "opera.exe", "iexplore.exe", "safari", "vivaldi.exe", "chromium"]);
let SystemProcesses = dynamic(["svchost.exe", "MsMpEng.exe", "services.exe", "wininit.exe", "dnscrypt-proxy.exe", "stubby.exe"]);
// Branch 1: Known tunneling tool execution
let KnownTools = DeviceProcessEvents
| where TimeGenerated > ago(1d)
| where FileName in~ (TunnelingTools)
| extend DetectionBranch = "KnownTunnelingTool"
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath, DetectionBranch;
// Branch 2: SSH with port-forwarding flags (OpenSSH, Plink)
let SSHTunneling = DeviceProcessEvents
| where TimeGenerated > ago(1d)
| where FileName in~ ("ssh.exe", "ssh", "plink.exe", "plink")
    and (
        ProcessCommandLine has "-L " or
        ProcessCommandLine has "-R " or
        ProcessCommandLine has "-D " or
        ProcessCommandLine has "-w " or
        ProcessCommandLine has "LocalForward" or
        ProcessCommandLine has "RemoteForward"
    )
| extend DetectionBranch = "SSHPortForwarding"
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath, DetectionBranch;
// Branch 3: Netsh portproxy (native Windows tunneling)
let NetshProxy = DeviceProcessEvents
| where TimeGenerated > ago(1d)
| where FileName =~ "netsh.exe"
    and ProcessCommandLine has "portproxy"
    and ProcessCommandLine has "add"
| extend DetectionBranch = "NetshPortProxy"
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath, DetectionBranch;
// Branch 4: DoH from non-browser, non-system processes
let DoHConnections = DeviceNetworkEvents
| where TimeGenerated > ago(1d)
| where RemotePort == 443
    and RemoteUrl has_any (DoHProviders)
    and InitiatingProcessFileName !in~ (BrowserProcesses)
    and InitiatingProcessFileName !in~ (SystemProcesses)
| extend DetectionBranch = "DNSoverHTTPS", AccountName = InitiatingProcessAccountName, FileName = InitiatingProcessFileName, ProcessCommandLine = InitiatingProcessCommandLine, InitiatingProcessFileName = "", InitiatingProcessCommandLine = ""
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath = RemoteUrl, DetectionBranch;
union KnownTools, SSHTunneling, NetshProxy, DoHConnections
| sort by TimeGenerated desc

index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=1 OR EventCode=3 OR EventCode=22)
| eval image_lower=lower(coalesce(Image, ""))
| eval cmdline=coalesce(CommandLine, "")
| eval dest_port=coalesce(DestinationPort, "")
| eval dns_query=coalesce(QueryName, "")
| eval score=0
| eval score=score + if(match(image_lower, "(plink|chisel|ligolo|iodine|ptunnel|dns2tcp|dnscat|httptunnel|socat)"), 70, 0)
| eval score=score + if(match(cmdline, "(-L |-R |-D |-w )") AND match(image_lower, "(ssh|putty|plink)"), 60, 0)
| eval score=score + if(match(cmdline, "portproxy") AND match(image_lower, "netsh"), 55, 0)
| eval score=score + if(match(cmdline, "(--reverse|--socks5|--tls-skip-verify)") AND match(image_lower, "chisel"), 85, 0)
| eval score=score + if(dest_port="22" AND NOT match(image_lower, "(ssh|scp|sftp|putty|winscp|filezilla|git|rsync)"), 40, 0)
| eval score=score + if(match(dns_query, "(cloudflare-dns\.com|dns\.google|doh\.opendns|quad9\.net)") AND NOT match(image_lower, "(chrome|firefox|msedge|brave|opera|iexplore|safari|svchost|dnscrypt|stubby)"), 50, 0)
| where score > 0
| eval technique="T1572 Protocol Tunneling"
| eval detection_confidence=case(score >= 70, "high", score >= 50, "medium", true(), "low")
| table _time, host, User, image_lower, cmdline, dest_port, dns_query, score, detection_confidence, technique
| sort - score, - _time

any where
  (event.category == "process" and event.type == "start" and
   (process.name : ("plink.exe","plink","chisel.exe","chisel","ligolo.exe","ligolo",
                     "iodine.exe","iodine","ptunnel.exe","ptunnel","dns2tcp","dnscat",
                     "dnscat2","httptunnel","htc","hts","socat") or
    process.command_line : ("*-R *:*:*","*-L *:*:*","*-D *","*socks5*","*socks4*",
                              "*dns-tunnel*","*--socks*"))) or
  (event.category == "network" and
   (
    (destination.port : (53) and network.bytes > 512 and network.protocol == "dns") or
    (destination.port : (443,80) and network.bytes > 1048576 and
     not destination.domain : ("*.google.com","*.microsoft.com","*.apple.com","*.amazon.com",
                                 "*.cloudflare.com","*.akamai.com","*.fastly.net"))
   ))

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  logsourcename(logsourceid) as LogSource, username as User,
  "Image" as ProcessImage, "CommandLine" as CommandLine,
  CASE WHEN LOWER("Image") LIKE ANY ('%plink%','%chisel%','%iodine%','%dnscat%') THEN 10
       WHEN "CommandLine" ILIKE ANY ('% -R %:%:%','% -D %','%socks5%','%dns-tunnel%') THEN 9
       ELSE 6 END as RiskScore
FROM events
WHERE eventid IN (1, 4688)
  AND (
    LOWER(coalesce("Image","")) LIKE ANY
      ('%plink%','%chisel%','%ligolo%','%iodine%','%ptunnel%','%dns2tcp%','%dnscat%',
       '%httptunnel%','%htc%','%hts%','%socat%')
    OR "CommandLine" ILIKE ANY ('% -R %:%:%','% -L %:%:%','% -D %','%socks5%','%socks4%',
                                  '%dns-tunnel%','%--socks%')
  )
ORDER BY RiskScore DESC, EventTime DESC

_sourceCategory=windows/sysmon OR _sourceCategory=linux/sysmon
| json auto
| where EventID in ("1","3")
| eval ImageLower = toLower(coalesce(Image,""))
| eval CmdLower = toLower(coalesce(CommandLine,""))
| eval is_tunnel_tool = if(EventID == "1" AND (
    ImageLower matches ".*(plink|chisel|ligolo|iodine|ptunnel|dns2tcp|dnscat|httptunnel|socat).*" OR
    CmdLower matches ".*( -R .*:.*:| -L .*:.*:| -D .*|socks5|socks4|dns-tunnel|--socks).*"), 1, 0)
| eval is_dns_tunnel = if(EventID == "3" AND DestinationPort == "53" AND
    toNum(BytesSent) > 512, 1, 0)
| where is_tunnel_tool == 1 OR is_dns_tunnel == 1
| eval detection_type = if(is_tunnel_tool == 1, "Tunnel_Tool_Exec", "DNS_Tunnel_Traffic")
| table _time, Computer, User, Image, CommandLine, DestinationIp, DestinationPort, detection_type
| sort by _time desc

rule protocol_tunneling_detection {
  meta:
    author = "Detection Engineering"
    description = "Detects protocol tunneling via known tunneling tools (T1572)"
    severity = "HIGH"
    tactic = "TA0011"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `(?i)(plink|chisel|ligolo|iodine|ptunnel|dns2tcp|dnscat|httptunnel|socat)`) nocase or
      re.regex($e.target.process.command_line, `(?i)(\s-R\s.*:.*:|\s-L\s.*:.*:|\s-D\s|socks5|socks4|dns-tunnel|--socks)`) nocase
    )

  condition:
    $e
}

#event_simpleName = "ProcessRollup2"
| (ImageFileName = /(plink|chisel|ligolo|iodine|ptunnel|dns2tcp|dnscat2?|httptunnel|socat)$/i
   OR CommandLine = /(\s-R\s[^:]+:[^:]+:[^:]+|\s-D\s|\s-L\s[^:]+:[^:]+:[^:]+|socks5|socks4|dns-tunnel)/i)
| eval detection_type = case {
    ImageFileName = /(plink|chisel|ligolo)/i : "SSH_Tunnel_Tool";
    ImageFileName = /(iodine|dns2tcp|dnscat)/i : "DNS_Tunnel_Tool";
    CommandLine = /socks[45]/i : "SOCKS_Proxy";
    * : "Protocol_Tunnel"
  }
| table timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, detection_type
| sort by timestamp desc