Service exposed using ngrok

Goal

Detect services being publicly exposed using ngrok.

Strategy

The tool ngrok is used to expose a local service to the public internet. While ngrok has legitimate uses, it can also be used maliciously to exfiltrate data. This rule generates a signal when a workload connects to the ngrok tunneling endpoint.

Triage and response

  1. Determine if this is expected activity for the workload.
  2. If this is not expected, isolate the workload, preserving it for analysis.
  3. Review related signals to understand the full timeline of the incident.
  4. Search for similar activity in network flow logs. Other hosts may also be affected.
  5. Find and repair the root cause of the incident.

This detection is based on data from Network Performance Monitoring.