detection.wiki

Detection rules › Splunk

ngrok Execution - Windows (Windows Event Log)

Group by
_time, host
Source
github.com/anvilogic-forge/armory

Ngrok is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. Ngrok has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration. This use case detects process creation events for ngrok.exe or command patterns likely to be unique to ngrok in the event of a renamed executable

MITRE ATT&CK coverage

TacticTechniques
Command & ControlT1572 Protocol Tunneling

References

Event coverage

ProviderEventTitle
Security-AuditingEvent ID 4688A new process has been created.

Rule body yaml

id: '20685.36863'
title: ngrok Execution - Windows
description: 'Ngrok is a legitimate reverse proxy tool that can create a secure tunnel
  to servers located behind firewalls or on local machines that do not have a public
  IP. Ngrok has been leveraged by threat actors in several campaigns including use
  for lateral movement and data exfiltration. This use case detects process creation
  events for ngrok.exe or command patterns likely to be unique to ngrok in the event
  of a renamed executable. -- Threat Actor Association: Scattered Spider (aka. Muddled
  Libra, Scatter Swine, Starfraud, UNC3944)'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4688) OR
  "<EventID>4688<" OR Type=Process) TERM(ngrok) OR (TERM(start) "--all" "--config"
  ".yml") OR (TERM(tcp) ("139" OR "445" OR "3389" OR "5985" OR "5986")) | where match(process,
  "(?i)(tcp\s+(139|445|3389|5985|5986))|(\.exe\s+|(authtoken\s|start\s+--all))|(start\s.*\s--all\s.*\s--config\s.+\.yml)")
  OR match(process_path, "(?i)ngrok\.exe") | table _time, host, user, signature_id,
  process, process_*, parent_process_* | bin span=1s | stats values(*) as * by _time,
  host '
techniques:
- command-and-control:protocol tunneling
technique_id: 
- T1572
data_category:
- Process command-line parameters
- Windows event logs
references:
- https://www.logpoint.com/en/blog/a-deep-look-at-the-darkside-ransomware-operators-and-their-affiliates/

Stages and Predicates

Stage 1: search

`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4688) OR "<EventID>4688<" OR Type=Process) TERM(ngrok) OR (TERM(start) "--all" "--config" ".yml") OR (TERM(tcp) ("139" OR "445" OR "3389" OR "5985" OR "5986"))

Stage 2: where

| where match(process, "(?i)(tcp\s+(139|445|3389|5985|5986))|(\.exe\s+|(authtoken\s|start\s+--all))|(start\s.*\s--all\s.*\s--config\s.+\.yml)") OR match(process_path, "(?i)ngrok\.exe")

Stage 3: table

| table _time, host, user, signature_id, process, process_*, parent_process_*

Stage 4: bucket

| bin span=1s

Stage 5: stats

| stats values(*) as * by _time, host

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventCodeeq
  • 4688 corpus 313 (splunk 283, kusto 30)
processmatch
  • "(?i)(tcp\s+(139|445|3389|5985|5986))|(\.exe\s+|(authtoken\s|start\s+--all))|(start\s.*\s--all\s.*\s--config\s.+\.yml)" corpus 3 (splunk 3)
process_pathmatch
  • "(?i)ngrok\.exe" corpus 3 (splunk 3)

Search terms

Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.

StageTerm
1TERM
1"<EventID>4688<"
1TERM
1ngrok
1TERM
1start
1"--all"
1"--config"
1".yml"
1TERM
1tcp
1"139"
1"445"
1"3389"
1"5985"
1"5986"