Ngrok Usage with Remote Desktop Service
Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour
Sigma rule (View on GitHub)
1title: Ngrok Usage with Remote Desktop Service
2id: 64d51a51-32a6-49f0-9f3d-17e34d640272
3status: test
4description: Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour
5references:
6 - https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg
7 - https://ngrok.com/
8author: Florian Roth (Nextron Systems)
9date: 2022/04/29
10tags:
11 - attack.command_and_control
12 - attack.t1090
13logsource:
14 product: windows
15 service: terminalservices-localsessionmanager
16detection:
17 selection:
18 EventID: 21
19 Address|contains: '16777216'
20 condition: selection
21falsepositives:
22 - Unknown
23level: high
References
Related rules
- Communication To Ngrok Tunneling Service - Linux
- Suspicious TCP Tunnel Via PowerShell Script
- Malicious IP Address Sign-In Failure Rate
- Malicious IP Address Sign-In Suspicious
- Sign-In From Malware Infected IP