LoFP / false positives will be present based on organizations that allow the use of ngrok. filter or monitor as needed.

Techniques

• T1090
• T1102
• T1572

Sample rules

Ngrok Reverse Proxy on Network

• source: splunk
• technicques:
  • T1572
  • T1090
  • T1102

Description

The following analytic detects DNS queries to common Ngrok domains, indicating potential use of the Ngrok reverse proxy tool. It leverages the Network Resolution datamodel to identify queries to domains such as “.ngrok.com” and “.ngrok.io”. While Ngrok usage is not inherently malicious, it has been increasingly adopted by adversaries for covert communication and data exfiltration. If confirmed malicious, this activity could allow attackers to bypass network defenses, establish persistent connections, and exfiltrate sensitive data, posing a significant threat to the network’s security.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime  from datamodel=Network_Resolution where DNS.query IN ("*.ngrok.com","*.ngrok.io", "ngrok.*.tunnel.com", "korgn.*.lennut.com") by DNS.src DNS.query DNS.answer 
|  `drop_dm_object_name("DNS")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `ngrok_reverse_proxy_on_network_filter`

Windows Ngrok Reverse Proxy Usage

• source: splunk
• technicques:
  • T1572
  • T1090
  • T1102

Description

The following analytic detects the execution of ngrok.exe on a Windows operating system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because while ngrok is a legitimate tool for creating secure tunnels, it is increasingly used by adversaries to bypass network defenses and establish reverse proxies. If confirmed malicious, this could allow attackers to exfiltrate data, maintain persistence, or facilitate further attacks by tunneling traffic through the compromised system.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ngrok.exe Processes.process IN ("*start*", "*--config*","*http*","*authtoken*", "*http*", "*tcp*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `windows_ngrok_reverse_proxy_usage_filter`