LoFP LoFP / ngrok http 3978 (https://learn.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)

Techniques

Sample rules

PUA - Ngrok Execution

Description

Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. Involved domains are bin.equinox.io for download and *.ngrok.io for connections.

Detection logic

condition: 1 of selection*
selection1:
  CommandLine|contains:
  - ' tcp 139'
  - ' tcp 445'
  - ' tcp 3389'
  - ' tcp 5985'
  - ' tcp 5986'
selection2:
  CommandLine|contains|all:
  - ' start '
  - --all
  - --config
  - .yml
selection3:
  CommandLine|contains:
  - ' tcp '
  - ' http '
  - ' authtoken '
  Image|endswith: ngrok.exe
selection4:
  CommandLine|contains:
  - '.exe authtoken '
  - .exe start --all