LoFP LoFP / t1572

t1572

TitleTags
administrative activity
administrative activity using a remote port forwarding to a local port
another tool that uses the command line switches of ngrok
dns domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded.
legitimate usage of cloudflared tunnel.
legitimate usage of cloudflared.
legitimate use of btunnels will also trigger this.
legitimate use of cloudflare tunnels will also trigger this.
legitimate use of devtunnels will also trigger this.
legitimate use of ngrok
legitimate use of the localtonet service.
legitimate use of the ngrok service.
legitimate use of visual studio code tunnel will also trigger this.
ngrok http 3978 (https://learn.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)
normal use of iodine is uncommon apart from security testing and research. use by non-security engineers is very uncommon.
some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public ip address replies to a client which has used a udp port in the range by coincidence. this is uncommon but such servers can be excluded.
there is a potential for false positives if socks proxies are used for legitimate purposes, such as debugging or troubleshooting, or if the \"curl\" command-line tool is used to download files from a known benign source. it is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity.
unknown