Potential Protocol Tunneling via Yuze

This rule detects the execution of Yuze, an open-source tunneling tool written in C, which is commonly used for intranet penetration. Yuze supports both forward and reverse SOCKS5 proxy tunneling and is often executed using rundll32 to load yuze.dll with the RunYuze export. Threat actors can leverage Yuze to proxy command and control (C2) communications or to pivot within a network. The detection focuses on identifying processes with command-line arguments indicative of Yuze execution, specifically those involving “reverse,” “-c,” “proxy,” “fwd,” and “-l” parameters. This activity has been observed in real-world campaigns, increasing the importance of timely detection and response.

Attack Chain

1. The attacker gains initial access to a target system through various means (e.g., phishing, exploitation of vulnerabilities).
2. The attacker uploads or drops the yuze.dll file onto the compromised host.
3. The attacker uses rundll32.exe to execute yuze.dll, calling the RunYuze export.
4. The command line includes parameters to establish a reverse or forward SOCKS5 proxy tunnel (e.g., rundll32 yuze.dll,RunYuze reverse -c <ip>:<port>).
5. Yuze establishes a tunnel to a remote server, allowing the attacker to proxy network traffic.
6. The attacker uses the established tunnel to pivot within the network and access internal resources.
7. The attacker may proxy C2 traffic through the tunnel, masking the true origin of the commands.
8. The attacker performs actions on the internal network, such as data exfiltration or lateral movement, using the tunnel as a covert channel.

Impact

Successful exploitation allows attackers to establish covert communication channels, bypass network security controls, and proxy malicious traffic, potentially leading to unauthorized access to sensitive data, lateral movement within the network, and data exfiltration. The use of Yuze can obscure the origin of attacks, making attribution more difficult and hindering incident response efforts.

Recommendation

• Deploy the Sigma rule “Potential Yuze Tunneling via Rundll32” to your SIEM to detect the execution of yuze.dll via rundll32.exe with specific command-line arguments.
• Enable process creation logging (Sysmon Event ID 1 or Windows Security Auditing) to capture the necessary command-line information for the Sigma rules.
• Investigate any identified instances of rundll32.exe executing yuze.dll, focusing on the parent processes and network connections.
• Block the C2/relay IP or domain found in the -c argument at DNS/firewall, as described in the Triage and Analysis section of the rule’s note.