Skip to content

Hide Navigation Hide TOC

Communication To LocaltoNet Tunneling Service Initiated - Linux (c4568f5d-131f-4e78-83d4-45b2da0ec4f1)

Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.

Cluster A Galaxy A Cluster B Galaxy B Level
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern Communication To LocaltoNet Tunneling Service Initiated - Linux (c4568f5d-131f-4e78-83d4-45b2da0ec4f1) Sigma-Rules 1
Communication To LocaltoNet Tunneling Service Initiated - Linux (c4568f5d-131f-4e78-83d4-45b2da0ec4f1) Sigma-Rules Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 1
Communication To LocaltoNet Tunneling Service Initiated - Linux (c4568f5d-131f-4e78-83d4-45b2da0ec4f1) Sigma-Rules Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b) Attack Pattern 1