Service exposed using ngrok
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect services being publicly exposed using ngrok.
Strategy
The tool ngrok is used to expose a local service to the public internet. While ngrok has legitimate uses, it can also be used maliciously to exfiltrate data. This rule generates a signal when a workload connects to the ngrok tunneling endpoint.
Triage and response
- Determine if this is expected activity for the workload.
- If this is not expected, isolate the workload, preserving it for analysis.
- Review related signals to understand the full timeline of the incident.
- Search for similar activity in network flow logs. Other hosts may also be affected.
- Find and repair the root cause of the incident.
This detection is based on data from Cloud Network Monitoring.