Service exposed using ngrok

Classification:

attack

Tactic:

TA0010-exfiltration

Technique:

T1567-exfiltration-over-web-service

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect services being publicly exposed using ngrok.

Strategy

The tool ngrok is used to expose a local service to the public internet. While ngrok has legitimate uses, it can also be used maliciously to exfiltrate data. This rule generates a signal when a workload connects to the ngrok tunneling endpoint.

Triage and response

  1. Determine if this is expected activity for the workload.
  2. If this is not expected, isolate the workload, preserving it for analysis.
  3. Review related signals to understand the full timeline of the incident.
  4. Search for similar activity in network flow logs. Other hosts may also be affected.
  5. Find and repair the root cause of the incident.

This detection is based on data from Cloud Network Monitoring.

PREVIEWING: aliciascott/DOCS-9725-Cloudcraft