Service exposed using ngrok

Classification:

attack

Tactic:

TA0010-exfiltration

Technique:

T1567-exfiltration-over-web-service

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect services being publicly exposed using ngrok.

Strategy

The tool ngrok is used to expose a local service to the public internet. While ngrok has legitimate uses, it can also be used maliciously to exfiltrate data. This rule generates a signal when a workload connects to the ngrok tunneling endpoint.

Triage and response

  1. Determine if this is expected activity for the workload.
  2. If this is not expected, isolate the workload, preserving it for analysis.
  3. Review related signals to understand the full timeline of the incident.
  4. Search for similar activity in network flow logs. Other hosts may also be affected.
  5. Find and repair the root cause of the incident.

This detection is based on data from Network Performance Monitoring.