An adversary is using ngrok tunneling services to exfiltrate data from a compromised Linux host, leveraging command and control communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data exfiltration and command and control activities early.
Detection Rule
title: Communication To Ngrok Tunneling Service - Linux
id: 19bf6fdb-7721-4f3d-867f-53467f6a5db6
status: test
description: Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
references:
- https://twitter.com/hakluke/status/1587733971814977537/photo/1
- https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent
author: Florian Roth (Nextron Systems)
date: 2022-11-03
tags:
- attack.exfiltration
- attack.command-and-control
- attack.t1567
- attack.t1568.002
- attack.t1572
- attack.t1090
- attack.t1102
- attack.s0508
logsource:
product: linux
category: network_connection
detection:
selection:
DestinationHostname|contains:
- 'tunnel.us.ngrok.com'
- 'tunnel.eu.ngrok.com'
- 'tunnel.ap.ngrok.com'
- 'tunnel.au.ngrok.com'
- 'tunnel.sa.ngrok.com'
- 'tunnel.jp.ngrok.com'
- 'tunnel.in.ngrok.com'
condition: selection
falsepositives:
- Legitimate use of ngrok
level: high
imNetworkSession
| where DstHostname contains "tunnel.us.ngrok.com" or DstHostname contains "tunnel.eu.ngrok.com" or DstHostname contains "tunnel.ap.ngrok.com" or DstHostname contains "tunnel.au.ngrok.com" or DstHostname contains "tunnel.sa.ngrok.com" or DstHostname contains "tunnel.jp.ngrok.com" or DstHostname contains "tunnel.in.ngrok.com"Scenario: System Update via Ngrok for Internal Deployment
Description: A legitimate system update process uses ngrok to push a new version of a service to an internal staging environment.
Filter/Exclusion: Check for known update scripts or processes (e.g., apt, yum, or ansible) and exclude traffic to ngrok endpoints used for internal deployment.
Scenario: Admin Task Using Ngrok for Remote Debugging
Description: A system administrator uses ngrok to expose a local debugging port for remote troubleshooting.
Filter/Exclusion: Exclude traffic from known admin user accounts or processes associated with debugging tools (e.g., gdb, strace, or tcpdump).
Scenario: Scheduled Job Exposing Metrics via Ngrok
Description: A scheduled job (e.g., cron job) runs a script that uses ngrok to expose internal metrics to a monitoring tool.
Filter/Exclusion: Exclude traffic from known monitoring tools (e.g., Prometheus, Grafana) or scheduled jobs with known metrics endpoints.
Scenario: DevOps Pipeline Using Ngrok for Local Testing
Description: A DevOps pipeline temporarily uses ngrok to expose a local development server for testing purposes.
Filter/Exclusion: Exclude traffic from CI/CD pipelines (e.g., Jenkins, GitHub Actions) or processes associated with development environments.
Scenario: Internal Tool Using Ngrok for Secure Tunneling
Description: An internal tool or service uses ngrok to securely tunnel traffic between internal systems and external services.
Filter/Exclusion: Exclude traffic from known internal tools or services (e.g., vpn, secure tunneling apps) or traffic to ngrok endpoints used for internal tunneling.