Loading

Potential Protocol Tunneling via Yuze

Identifies execution of Yuze, a lightweight open-source tunneling tool used for intranet penetration. Yuze supports forward and reverse SOCKS5 proxy tunneling and is typically executed via rundll32 loading yuze.dll with the RunYuze export. Threat actors may use it to proxy C2 or pivot traffic.

Rule type: eql
Rule indices:

  • endgame-*
  • logs-crowdstrike.fdr*
  • logs-endpoint.events.process-*
  • logs-m365_defender.event-*
  • logs-sentinel_one_cloud_funnel.*
  • logs-system.security*
  • logs-windows.sysmon_operational-*
  • winlogbeat-*

Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 100
References:

Tags:

  • Domain: Endpoint
  • OS: Windows
  • Use Case: Threat Detection
  • Tactic: Command and Control
  • Resources: Investigation Guide
  • Data Source: Elastic Defend
  • Data Source: Sysmon
  • Data Source: SentinelOne
  • Data Source: Microsoft Defender for Endpoint
  • Data Source: Crowdstrike
  • Data Source: Elastic Endgame
  • Data Source: Windows Security Event Logs

Version: 1
Rule authors:

  • Elastic

Rule license: Elastic License v2

Yuze is a C-based tunneling tool used for intranet penetration and supports forward and reverse SOCKS5 proxy tunneling. It is commonly executed as rundll32 yuze.dll,RunYuze reverse -c <ip>:<port> and has been observed in threat actor campaigns.

  • Confirm the command line contains yuze.dll and RunYuze; typical form is rundll32 yuze.dll,RunYuze reverse -c <ip>:<port>.
  • Extract the remote endpoint from the -c argument (C2 or relay) and look up the IP/domain in threat intelligence.
  • Locate where yuze.dll was loaded from; check file creation time to see if it was recently dropped.
  • Identify the parent process that started rundll32 (script, scheduled task, exploit, etc.) to understand the execution chain.
  • Correlate with network events for outbound connections from this host to the IP/port in the command line.
  • Legitimate use of Yuze is rare; most hits are likely malicious or red-team. If you use Yuze for authorized testing, consider an exception by host or user.
  • Isolate the host and terminate the rundll32 process.
  • Remove yuze.dll from disk and hunt for other copies or related artifacts.
  • Block the C2/relay IP or domain at DNS/firewall; rotate credentials if the tunnel was used for access.
process where host.os.type == "windows" and event.type == "start" and
  (
    (process.args : "reverse" and process.args : ("-c", "-s")) or
    (process.args : ("proxy", "fwd") and process.args : "-l")
   ) and
  (?process.code_signature.exists == false or process.name : "rundll32.exe")

Framework: MITRE ATT&CK