LoFP
/
t1572
t1572
Title
Tags
administrative activity
t1003
t1016
t1021
t1021.001
t1027
t1036
t1053
t1053.005
t1059
t1059.001
t1059.005
t1071
t1071.001
t1087
t1087.001
t1087.002
t1098
t1105
t1133
t1134
t1136
t1136.001
t1137
t1222
t1222.001
t1505
t1505.004
t1552
t1552.006
t1555
t1555.004
t1562
t1562.001
t1572
t1615
windows
linux
sigma
administrative activity using a remote port forwarding to a local port
t1021
t1021.001
t1021.004
t1572
windows
sigma
another tool that uses the command line switches of ngrok
t1572
windows
sigma
dns domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded.
t1572
ml
elastic
false positives may be present if ngrok is an authorized utility. filter as needed.
t1090
t1102
t1572
endpoint
splunk
false positives may be present if the organization allows for ssh tunneling outbound or internally. filter as needed.
t1021.004
t1572
endpoint
splunk
false positives will be present based on organizations that allow the use of ngrok. filter or monitor as needed.
t1090
t1102
t1572
endpoint
splunk
legitimate usage of cloudflared tunnel.
t1090
t1102
t1572
windows
sigma
legitimate usage of cloudflared.
t1090
t1102
t1572
windows
sigma
legitimate use of ngrok
t1090
t1102
t1567
t1568
t1568.002
t1572
linux
sigma
legitimate use of the ngrok service.
t1090
t1102
t1567
t1567.001
t1568
t1568.002
t1572
windows
sigma
ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)
t1572
windows
sigma
normal use of iodine is uncommon apart from security testing and research. use by non-security engineers is very uncommon.
t1572
_deprecated
elastic
LoFP
/
t1572