← Back to SOC feed Coverage →

HackTool - Htran/NATBypass Execution

sigma HIGH SigmaHQ
T1090
imProcessCreate
evasion
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-08T23:00:01Z · Confidence: medium

Hunt Hypothesis

Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)

Detection Rule

Sigma (Original)

title: HackTool - Htran/NATBypass Execution
id: f5e3b62f-e577-4e59-931e-0a15b2b94e1e
status: test
description: Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)
references:
    - https://github.com/HiwinCN/HTran
    - https://github.com/cw1997/NATBypass
author: Florian Roth (Nextron Systems)
date: 2022-12-27
modified: 2023-02-04
tags:
    - attack.command-and-control
    - attack.t1090
    - attack.s0040
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\htran.exe'
            - '\lcx.exe'
    selection_cli:
        CommandLine|contains:
            - '.exe -tran '
            - '.exe -slave '
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessName endswith "\\htran.exe" or TargetProcessName endswith "\\lcx.exe") or (TargetProcessCommandLine contains ".exe -tran " or TargetProcessCommandLine contains ".exe -slave ")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml