ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)

t1572
windows
sigma

Techniques

t1572

Sample rules

PUA - Ngrok Execution

source: sigma
technicques:
- t1572

Description

Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. Involved domains are bin.equinox.io for download and *.ngrok.io for connections.

Detection logic

condition: 1 of selection*
selection1:
  CommandLine|contains:
  - ' tcp 139'
  - ' tcp 445'
  - ' tcp 3389'
  - ' tcp 5985'
  - ' tcp 5986'
selection2:
  CommandLine|contains|all:
  - ' start '
  - --all
  - --config
  - .yml
selection3:
  CommandLine|contains:
  - ' tcp '
  - ' http '
  - ' authtoken '
  Image|endswith: ngrok.exe
selection4:
  CommandLine|contains:
  - '.exe authtoken '
  - .exe start --all