Ngrok Usage with Remote Desktop Service

Aug 12, 2024 · attack.command-and-control attack.t1090 ·

Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour

Sigma rule (View on GitHub)

 1title: Ngrok Usage with Remote Desktop Service
 2id: 64d51a51-32a6-49f0-9f3d-17e34d640272
 3status: test
 4description: Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour
 5references:
 6    - https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg
 7    - https://ngrok.com/
 8author: Florian Roth (Nextron Systems)
 9date: 2022-04-29
10tags:
11    - attack.command-and-control
12    - attack.t1090
13logsource:
14    product: windows
15    service: terminalservices-localsessionmanager
16detection:
17    selection:
18        EventID: 21
19        Address|contains: '16777216'
20    condition: selection
21falsepositives:
22    - Unknown
23level: high

References

x.com

Read More
ngrok | API Gateway, IoT Device Gateway, Secure Tunnels for Containers, Apps & APIs

ngrok is a secure ingress platform that enables developers to add global server load balancing, reverse proxy, firewall, API gateway and Kubernetes Ingress to applications and APIs.

Read More

Ngrok Usage with Remote Desktop Service

Sigma rule (View on GitHub)

References

x.com

ngrok | API Gateway, IoT Device Gateway, Secure Tunnels for Containers, Apps & APIs

Related rules