Communication To Ngrok Tunneling Service Initiated

About the rule

Rule Type

Standard

Rule Description

A process to initiate a network connection to "ngrok" tunneling domains, which are widely used to execute the payloads or malware scripts by the attackers and which leads to data exfiltration. Essentially, the attackers use these executables to mask their malicious activities as legitimate.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access (Insider attack) → Execution (Setup Tunnel) → Defense Evasion → Command and control → Impact

Impact

• The attacker accesses the exposed internal resource remotely, often for lateral movement, data exfiltration, or maintaining persistent access.
• Ngrok encapsulates the malicious C2 traffic by allowing proxy attackers to establish communication with internal systems to mask the true source and destination of the activities
• Data exfiltration is acheived through same masked Ngrok tunneling path.

Rule Requirement

Prerequisites

• Download and install Sysmon from Microsoft Sysinternals. Then, open a Command prompt with administrator privileges and create a Sysmon configuration which monitors the network connection using -

sysmon.exe -i [configfile.xml].

• Add network connection events to monitor in your configuration file using -

<Sysmon>
<EventFiltering>
<NetworkConnect onmatch="exclude"/>
<!-- This captures all network connection events -->
</EventFiltering>
</Sysmon>

• Create a new registry key "Microsoft-Windows-Sysmon/Network" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\".
• Allocate the registry value of Max Size to 200MB to ensure adequate storage for network logs, as they tend to be high volume.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Command and Control: Protocol Tunneling (T1572), Command and Control: Dynamic Resolution - Domain Generation Algorithms (T1568.002), Command and Control: Proxy (T1090), Exfiltration: Exfiltration Over Web Service (T1567), Command and Control: Web Service (T1102)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

ID.AM-03: Representations of the organization’s authorized network communication and internal and external network data flows are maintained.

The security standard suggests security administrators to map and document on how the data moves across the network including both internal and external communication.

DE.CM-01: Networks and network services are monitored to find potentially adverse events.

Security administrators have to continuously monitor all the network and its services in real-time using SIEM tools and identify the unusual behavior during the connection initiated to LocalToNet tunneling services. Enforce the policies on the web traffic to ensure the network security.

Author

Florian Roth (Nextron Systems)

Future actions

Known False Positives

Developers, Devops or IT support professionals utilize Ngrok tunneling services to expose applications, APIs, web-servers for testing and de-bugging integrations. The other purpose of using it for automating testing (CI/CD pipelines, automate QA) is to expose resources as part of their workflow temporarily.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify the event and check if the flagged incident is new or the existing one.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and kill or terminate the malicious process.
4. Reconfiguration: Update the network policies and port configurations and continuously monitor traffic trends in the network.

Mitigation