Communication To LocaltoNet Tunneling Service Initiated

About the rule

Rule Type

Standard

Rule Description

An executable process within an internal network initiate a communication with LocaltoNet tunneling services exposing local systems and applications through tunnels to internet and this gateway can exploit command and control services to bypass MFA and other perimeter controls.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access (Through network endpoint) → Execution (Setup Tunnel) → Defense Evasion → Command and control → Impact

Impact

• The attacker accesses the exposed internal resource remotely, often for lateral movement, data exfiltration, or maintaining persistent access.
• C2 or domain traffic is tunneled through the LocaltoNet service, masking the true destination of the attacker's infrastructure and bypassing security monitoring.
• Data exfiltration

Rule Requirement

Prerequisites

• Download and install Sysmon from Microsoft Sysinternals. Then, open a Command prompt with administrator privileges and create a Sysmon configuration which monitors the network connection using -

sysmon.exe -i [configfile.xml].

• Add network connection events to monitor in your configuration file using -

<Sysmon>
<EventFiltering>
<NetworkConnect onmatch="exclude"/>
<!-- This captures all network connection events -->
</EventFiltering>
</Sysmon>

• Create a new registry key "Microsoft-Windows-Sysmon/Network" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\".
• Allocate the registry value of Max Size to 200MB to ensure adequate storage for network logs, as they tend to be high volume.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Command and Control: Protocol Tunneling (T1572), Command and Control: Proxy (T1090), Command and Control: Web Service (T1102)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

DE.CM-01: Networks and network services are monitored to find potentially adverse events.

Security administrators have to continuously monitor all the network and its services in real-time using SIEM tools and identify the unusual behavior during the connection initiated to LocalToNet tunneling services. Enforce the policies on the web traffic to ensure the network security.

PR.IR-01: Networks and environments are protected from unauthorized logical access and usage.

This security standard essentially emphasizes on protecting the network and environments from accessing any illegitimate traffic or usage. Role based access controls and network segmentation techniques are implemented.

Author

Andreas Braathen (mnemonic.io)

Future actions

Known False Positives

Sanctioned business tools or applications trigger a few scripts to initiate connection to LocalToNet tunneling services for certain operational activities such as automated backups, remote access for vendors or managed cloud services.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify the event and check if the flagged incident is new or the existing one.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and kill or terminate the malicious process.
4. Reconfiguration: Update the network policies and port configurations and continuously monitor traffic trends in the network.

Mitigation