Open in app

Sign in

Write

Sign in

Ngrok Tunnels

BlueteamOps
2 min readAug 19, 2020

--

Image by PublicDomainPictures

FireEye’s blogpost about MAZE group identifies the use of RDP over Ngrok service as an alternative C2 channel. This article describes potential hunts which can be used to detect ngrok activity. Please note that this article is limited to observations related to the Windows OS.

What is Ngrok?

Ngrok (a service much loved by Devops) allows you to expose internal network services such as SSH, RDP , SMB etc through its cloud service . This is accomplished through a secure reverse connection established from the internal host to the Ngrok cloud service.

MITRE ATT&CK Mappings for Ngrok Usage

Ngrok has been around for sometime and leveraged by various threat actors and malicious campaigns ( Lokibot, Card Skimming, Fox Kittens , LordEK etc).

Detection

Please note that my observations are based on Ngrok version 2.3.35.

A PowerShell script like https://github.com/benyG/Invoke-Ngrok/blob/master/Invoke-Ngrok.ps1 can be leveraged by threat actors to drop and execute ngrok in a scripted fashion.

Network activity

  • Runs a local web interface on port 4040 on 127.0.0.1 for monitoring the tunnel.
  • Makes outbound network connections to

update.equinox.io — Used for self-updating packages. By default “updatecheck” configuration is active!

tunnel.us.ngrok.com — Reverse Tunnel

File Activity

Ngrok requires a config file to operate successfully. An authcode must be registered with Ngrok’s cloud service prior to setting up tunnels. By default a file named “ngrok.yml”(config file) is created inside a folder named “.ngrok2”. The default location of the config file is C:\Users\%USERNAME%\.ngrok2. Note that the PowerShell script mentioned above drops the ngrok executable to C:\Users\%USERNAME%.

Ngrok Log

By default logging is disabled. However, certain scripts may have it enabled. This can be useful during DFIR investigations. For e.g. The PowerShell script which was discussed earlier writes the standard output to a file called e.log.

Suggested Hunts

Carbon Black PSC

(( netconn_port:4040 AND netconn_ipv4:127.0.0.1) OR (netconn_domain:ngrok.com OR netconn_domain:equinox.io) AND netconn_count:[1 TO *]) OR filemod_name:*ngrok* OR hash:80258721df91910876b37cb3b47d57b1

OSQuery

SELECT s.pid, p.name, local_address, local_port from process_open_sockets s join processes p on s.pid = p.pid where local_port = ‘4040’ AND local_address = ‘127.0.0.1’;

Firewall
Search for outbound connections to ngrok.com and equinox.io domains.

--

--

BlueteamOps
BlueteamOps

Written by BlueteamOps

90 Followers
9 Following

Janantha Marasinghe’s Research If you like my work you can support me at buymeacoffee.com/jananthadmm

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams