PUA - Chisel Tunneling Tool Execution
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
PUA - Chisel Tunneling Tool Execution | Standard | Windows | Command and Control: Proxy: Internal Proxy (T1090.001) | Trouble |
About the rule
Rule Type
Standard
Rule Description
Detects execution of the Chisel tunneling tool and related command line arguments indicating its use for proxy tunneling, including client/server modes, SOCKS5 proxy usage, reverse tunnels, and TLS verification bypass.
Severity
Trouble
Rule journey
Attack chain scenario
Command and Control: Proxy - Internal Proxy (T1090.001)
Impact
Enables covert proxy communication channels used by attackers for command and control, lateral movement, or data exfiltration.
Rule Requirement
Prerequisites
Using Windows Event Viewer
- Log in to a domain controller with domain admin credentials.
- Open the Group Policy Management Console (GPMC) by typing gpmc.msc in the Run dialog.
- Create a new Group Policy Object (GPO) or edit an existing one linked to the appropriate Organizational Unit (OU).
- Navigate to:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Detailed Tracking - Right-click on Audit Process Creation and select Properties.
- Select Configure the following audit events, check Success, and click OK.
- Right-click on Audit Process Termination and select Properties.
- Select Configure the following audit events, check Success, and click OK.
For enhanced process tracking (command line logging):
- Navigate to:
Computer Configuration > Administrative Templates > System > Audit Process Creation - Double-click on Include command line in process creation events.
- Select Enabled, then click OK.
- Create the following registry key if it does not already exist:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Security-Auditing\Operational
Using Sysmon (System Monitor)
- Download and install Sysmon from Microsoft Sysinternals.
- Open Command Prompt with administrator privileges.
- Create or download a Sysmon configuration file that includes process creation monitoring.
- Install Sysmon using the configuration file:
Example command: sysmon.exe -i configfile.xml - Ensure the configuration file contains an event filter to capture process creation events.
Example snippet:
<Sysmon>
<EventFiltering>
<ProcessCreate onmatch="exclude"/>
<!-- This captures all process creations -->
</EventFiltering>
</Sysmon>
- Create the following registry key if it does not already exist:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Sysmon\Operational
Criteria
Action1: actionname = "Process started" AND PROCESSNAME endswith "\chisel.exe" OR (COMMANDLINE contains "exe client ,exe server " AND COMMANDLINE contains "-socks5,-reverse, r:,:127.0.0.1:,-tls-skip-verify ,:socks") select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
T1090.001: Internal Proxy
Security Standards
- Deploy network intrusion detection and prevention systems with signatures to detect tunneling and proxy tools.
- Monitor network traffic for proxies and tunneling connections.
- Utilize endpoint detection tooling to monitor suspicious tunneling tool execution.
Author
Florian Roth (Nextron Systems)
Future actions
Known False Positives
May generate false positives with other tools that use similar command line arguments.
Next Steps
- Investigate flagged chisel.exe executions and command line usage for unauthorized activity.
- Implement continuous monitoring of proxy and tunneling activities.
- Educate security teams on detection and response to proxy tunneling.
Mitigation
Mitigation ID | Name | Description |
M1031 | Network Intrusion Prevention | Use IDS/IPS solutions to detect and block traffic associated with adversary tunneling tools and proxy protocols. |
