PUA- IOX Tunneling Tool Execution

Hunt Hypothesis

Detects the use of IOX - a tool for port forwarding and intranet proxy purposes

Detection Rule

Sigma (Original)

title: PUA- IOX Tunneling Tool Execution
id: d7654f02-e04b-4934-9838-65c46f187ebc
status: test
description: Detects the use of IOX - a tool for port forwarding and intranet proxy purposes
references:
    - https://github.com/EddieIvan01/iox
author: Florian Roth (Nextron Systems)
date: 2022-10-08
modified: 2024-11-23
tags:
    - attack.command-and-control
    - attack.t1090
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\iox.exe'
    selection_commandline:
        CommandLine|contains:
            - '.exe fwd -l '
            - '.exe fwd -r '
            - '.exe proxy -l '
            - '.exe proxy -r '
    selection_hashes:
        # v0.4
        Hashes|contains:
            - "MD5=9DB2D314DD3F704A02051EF5EA210993"
            - "SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD"
            - "SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731"
    condition: 1 of selection*
falsepositives:
    - Legitimate use
level: high

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessName endswith "\\iox.exe" or (TargetProcessCommandLine contains ".exe fwd -l " or TargetProcessCommandLine contains ".exe fwd -r " or TargetProcessCommandLine contains ".exe proxy -l " or TargetProcessCommandLine contains ".exe proxy -r ") or (TargetProcessMD5 startswith "9DB2D314DD3F704A02051EF5EA210993" or TargetProcessSHA1 startswith "039130337E28A6623ECF9A0A3DA7D92C5964D8DD" or TargetProcessSHA256 startswith "C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731")

Required Data Sources

False Positive Guidance

• Legitimate use

MITRE ATT&CK Context

• Tactic: Command and Control
• Technique: T1090 — T1090

References

• https://github.com/EddieIvan01/iox
• SigmaHQ Rule