PUA - Ngrok Execution

Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. Involved domains are bin.equinox.io for download and *.ngrok.io for connections.

Sigma rule (View on GitHub)

 1title: PUA - Ngrok Execution
 2id: ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31
 3status: test
 4description: |
 5  Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.
 6  Involved domains are bin.equinox.io for download and *.ngrok.io for connections.  
 7references:
 8    - https://ngrok.com/docs
 9    - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
10    - https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp
11    - https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection
12    - https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/
13    - https://twitter.com/xorJosh/status/1598646907802451969
14    - https://www.softwaretestinghelp.com/how-to-use-ngrok/
15author: Florian Roth (Nextron Systems)
16date: 2021-05-14
17modified: 2023-02-21
18tags:
19    - attack.command-and-control
20    - attack.t1572
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection1:
26        CommandLine|contains:
27            - ' tcp 139'
28            - ' tcp 445'
29            - ' tcp 3389'
30            - ' tcp 5985'
31            - ' tcp 5986'
32    selection2:
33        CommandLine|contains|all:
34            - ' start '
35            - '--all'
36            - '--config'
37            - '.yml'
38    selection3:
39        Image|endswith: 'ngrok.exe'
40        CommandLine|contains:
41            - ' tcp '
42            - ' http '
43            - ' authtoken '
44    selection4:
45        CommandLine|contains:
46            - '.exe authtoken '
47            - '.exe start --all'
48    condition: 1 of selection*
49falsepositives:
50    - Another tool that uses the command line switches of Ngrok
51    - Ngrok http 3978 (https://learn.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)
52level: high

References

Related rules

to-top