Is my host protected against ngrok?

Ngrok is a reverse proxy tool that provides secure tunnels over the Internet. Adversaries may use ngrok to tunnel traffic to their command and control servers. It's important to monitor for the presence of ngrok, as it may be used to bypass network security controls. This chain requires an ngrok account. The ngrok.token fact must be set to your ngrok token available in the ngrok dashboard. Warning: This TTP will expose the host to the Internet.
This week, we're looking at a popular reverse proxy:
  • Is my host protected against ngrok?

Is my host protected against ngrok?

Ngrok is a powerful cross-platform reverse proxy that provides a secure method of putting systems on the Internet. Systems exposed through an Ngrok agent are accessible via a corresponding Ngrok forwarding URL. Through this URL, users can access the proxied application without the need to configure complex networking. Various additional features are available for purchase, including custom domains and authentication methods.

Ngrok is also utilized by threat actors to establish command and control channels, and may additionally be used to exfiltrate data. In particular, it's efficient for bypassing network restrictions and may avoid detection in environments where Ngrok is already deployed.

Testing

Execute Operator’s Is my host protected against ngrok? TTP on each host in your environment to test if you are vulnerable.

This chain is configured to stage an ngrok agent on the host and execute it. If the process is allowed to run, the grok agent makes a temporary file available over a secure tunnel. The TTP then attempts to download the file from the Internet over this secure tunnel and verify the contents. It then kills the ngrok process, closing the tunnel. If the host is protected, the ngrok agent process should be blocked or killed.

Note that this TTP may bypass firewall restrictions and expose the host to the Internet. It is recommended to test this TTP in a sandboxed environment.

Remediation

To protect yourself from ngrok, you should monitor for ngrok processes on hosts in your environment and kill unexpected instances, monitor network traffic for connections to ngrok infrastructure, and block outbound connections to ngrok infrastructure if your environment is not using ngrok. Finally, Windows Security Events may contain additional artifacts to help establish if ngrok is being used in your environment.

Check out the TTP Is my host protected against ngrok? on the Prelude chains website.

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: https://twitter.com/privateducky
Alex: https://twitter.com/khyberspache
Octavia: https://twitter.com/VVX7
Waseem: https://twitter.com/gerbsec

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.1)
Learn about Operator

TTPs

Is my host protected against ngrok?

Tags

destructive