Tunneling, Proxying & Network Exposure

Detects reverse tunnels, SOCKS proxies, and tools that expose internal services to the internet

18 rules in tunneling.yml

CRITICAL: 8 | HIGH: 10

Rule ID	Severity	Title	Description	Refs
`chisel_tunnel`	CRITICAL	Chisel Tunnel Tool	Installs or runs chisel, a tool for creating encrypted TCP/UDP tunnels through firewalls	CWE-693 T1090.002 CM-6 CIS-4.1
`dnscat2_tunnel`	CRITICAL	dnscat2 DNS Tunnel	Installs or runs dnscat2, a tool for establishing C2 channels over DNS	CWE-693 T1071.004 CM-6 CIS-4.1
`frp_tunnel`	CRITICAL	FRP Reverse Proxy	Installs or configures frp (fast reverse proxy) for tunneling through firewalls	CWE-693 T1090.002 CM-6 CIS-4.1
`icmptunnel_tunnel`	CRITICAL	ICMP Tunnel	Installs or runs icmptunnel to tunnel IP traffic over ICMP echo requests	CWE-693 T1095 CM-6 CIS-4.1
`iodine_dns_tunnel`	CRITICAL	Iodine DNS Tunnel	Installs or runs iodine/iodined to tunnel IP traffic over DNS	CWE-693 T1071.004 CM-6 CIS-4.1
`ligolo_tunnel`	CRITICAL	Ligolo Tunneling Agent	Installs or runs ligolo-ng, a tunneling tool for pivoting through networks	CWE-693 T1090.002 CM-6 CIS-4.1
`ngrok_exposure`	CRITICAL	ngrok Service Exposure	Installs or runs ngrok to expose internal services to the internet	CWE-200 T1090.002 A01:2021 V14.2.2 AC-3 CIS-4.1
`revsocks_tunnel`	CRITICAL	Reverse SOCKS Proxy Tool	Installs or runs a reverse SOCKS proxy (revsocks, gost, or similar)	CWE-693 T1090.001 CM-6 CIS-4.1
`bore_tunnel`	HIGH	Bore Tunnel Exposure	Installs or runs bore to expose local ports through a public relay	CWE-693 T1090.002 CM-6 CIS-4.1
`cloudflared_tunnel`	HIGH	Cloudflare Tunnel Exposure	cloudflared tunnel/access is invoked with –url or –hostname. Cloudflare Tunnels punch through outbound-only firewalls and expose internal services without ingress rules.	CWE-200 T1090.002 A01:2021 V14.2.2 AC-3 CIS-4.1
`localtunnel_exposure`	HIGH	LocalTunnel Exposure	Installs or runs localtunnel (lt) to expose local services to the internet	CWE-200 T1090.002 A01:2021 V14.2.2 AC-3 CIS-4.1
`rathole_tunnel`	HIGH	Rathole NAT Traversal Tunnel	Installs or runs rathole, a Rust-based reverse proxy for NAT traversal	CWE-693 T1090.002 CM-6 CIS-4.1
`serveo_tunnel`	HIGH	Serveo SSH Tunnel	Uses SSH to expose local services via serveo.net public relay	CWE-693 T1021.004 CM-6 CIS-4.1
`socat_port_forward`	HIGH	Socat TCP Port Forwarding	Uses socat to relay TCP traffic between hosts, potentially forwarding internal services	CWE-693 T1090.001 CM-6 CIS-4.1
`ssh_remote_forward`	HIGH	SSH Remote Port Forwarding	Creates a remote port forward to expose internal services via an external SSH server	CWE-693 T1021.004 CM-6 CIS-4.1
`ssh_socks_proxy`	HIGH	SSH SOCKS Proxy	Creates a SOCKS proxy via SSH dynamic port forwarding for traffic tunneling	CWE-693 T1090.001 CM-6 CIS-4.1
`tailscale_unauthorized`	HIGH	Unauthorized Tailscale Setup	Installs or activates Tailscale which could bypass network security controls	CWE-693 T1133 CM-6 CIS-4.1
`vpn_setup_unauthorized`	HIGH	Unauthorized VPN Setup	Installs or configures WireGuard, OpenVPN, or other VPN software for unauthorized network access	CWE-693 T1133 CM-6 CIS-4.1