LoFP
/
t1102
t1102
Title
Tags
false positives may be present if ngrok is an authorized utility. filter as needed.
t1090
t1102
t1572
endpoint
splunk
false positives will be present based on organizations that allow the use of ngrok. filter or monitor as needed.
t1090
t1102
t1572
endpoint
splunk
legitimate applications communicating with the \"api.notion.com\" endpoint that are not already in the exclusion list. the desktop and browser applications do not appear to be using the api by default unless integrations are configured.
t1102
windows
sigma
legitimate applications communicating with the \"googleapis.com\" endpoints that are not already in the exclusion list. this is environmental dependent and requires further testing and tuning.
t1102
windows
sigma
legitimate applications communicating with the telegram api e.g. web browsers not in the exclusion list, app with an rss etc.
t1102
windows
sigma
legitimate sub processes started by manage engine servicedesk pro
t1102
windows
sigma
legitimate usage of cloudflared tunnel.
t1090
t1102
t1572
windows
sigma
legitimate usage of cloudflared.
t1090
t1102
t1572
windows
sigma
legitimate use of ngrok
t1090
t1102
t1567
t1568
t1568.002
t1572
linux
sigma
legitimate use of telegram bots in the company
t1071
t1071.001
t1102
t1102.002
sigma
legitimate use of the ngrok service.
t1090
t1102
t1567
t1567.001
t1568
t1568.002
t1572
windows
sigma
ninite contacting githubusercontent.com
t1102
t1102.001
windows
sigma
noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. in this case, a filter is needed.
t1059
t1059.005
t1102
endpoint
splunk
one might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from microsoft defender.
t1102
t1102.001
windows
sigma
user activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)
t1071
t1071.001
t1102
t1102.001
t1102.003
sigma
LoFP
/
t1102