Service exposed using ngrok

Classification:

attack

Tactic:

TA0010-exfiltration

Technique:

T1567-exfiltration-over-web-service

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect services being publicly exposed using ngrok.

Strategy

The tool ngrok is used to expose a local service to the public internet. While ngrok has legitimate uses, it can also be used maliciously to exfiltrate data. This rule generates a signal when a workload connects to the ngrok tunneling endpoint.

Triage and response

  1. Determine if this is expected activity for the workload.
  2. If this is not expected, isolate the workload, preserving it for analysis.
  3. Review related signals to understand the full timeline of the incident.
  4. Search for similar activity in network flow logs. Other hosts may also be affected.
  5. Find and repair the root cause of the incident.

This detection is based on data from Network Performance Monitoring.

PREVIEWING: may/unit-testing