← Back to Explore
sigmahighHunting
PUA- IOX Tunneling Tool Execution
Detects the use of IOX - a tool for port forwarding and intranet proxy purposes
Detection Query
selection:
Image|endswith: \iox.exe
selection_commandline:
CommandLine|contains:
- ".exe fwd -l "
- ".exe fwd -r "
- ".exe proxy -l "
- ".exe proxy -r "
selection_hashes:
Hashes|contains:
- MD5=9DB2D314DD3F704A02051EF5EA210993
- SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD
- SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731
condition: 1 of selection*
Author
Florian Roth (Nextron Systems)
Created
2022-10-08
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.command-and-controlattack.t1090
Raw Content
title: PUA- IOX Tunneling Tool Execution
id: d7654f02-e04b-4934-9838-65c46f187ebc
status: test
description: Detects the use of IOX - a tool for port forwarding and intranet proxy purposes
references:
- https://github.com/EddieIvan01/iox
author: Florian Roth (Nextron Systems)
date: 2022-10-08
modified: 2024-11-23
tags:
- attack.command-and-control
- attack.t1090
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\iox.exe'
selection_commandline:
CommandLine|contains:
- '.exe fwd -l '
- '.exe fwd -r '
- '.exe proxy -l '
- '.exe proxy -r '
selection_hashes:
# v0.4
Hashes|contains:
- "MD5=9DB2D314DD3F704A02051EF5EA210993"
- "SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD"
- "SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731"
condition: 1 of selection*
falsepositives:
- Legitimate use
level: high