HackTool - Htran/NATBypass Execution

About the rule

Rule Type

Standard

Rule Description

Detects execution of Htran or Htran-like proxy tools such as NATBypass by identifying common executable names and command-line flags typically used to create covert network tunnels.

Severity

Trouble

Rule journey

Attack chain scenario

Execution → Command and Control (T1090: Proxy)

Impact

Enables adversaries to proxy network traffic covertly, bypass network defenses, and maintain persistent communication with compromised systems.

Rule Requirement

Prerequisites

Process creation auditing with command-line logging enabled. Presence of Htran or similar tunneling tools executing with typical proxy-related parameters.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

T1090: Command and Control - Proxy

Security Standards

• Network traffic filtering to block communications with known anonymity networks and adversary infrastructure
• Network intrusion detection and prevention systems configured with rules for known C2 protocols
• SSL/TLS inspection to detect covert or domain fronting traffic

Author

Florian Roth (Nextron Systems)

Future actions

Known False Positives

Unknown

Next Steps

• Investigate suspicious executions of htran.exe, lcx.exe, or related command-line parameters
• Apply network filtering and intrusion prevention to block proxy/tunneling communications
• Enable encrypted traffic inspection where feasible to detect evasive techniques
• Maintain enhanced logging and monitoring of process creation and network events for proactive detection

Mitigation