Ngrok is also utilized by threat actors to establish command and control channels, and may additionally be used to exfiltrate data. In particular, it's efficient for bypassing network restrictions and may avoid detection in environments where Ngrok is already deployed.
Execute Operator’s Is my host protected against ngrok?
TTP on each host in your environment to test if you are vulnerable.
This chain is configured to stage an ngrok agent on the host and execute it. If the process is allowed to run, the grok agent makes a temporary file available over a secure tunnel. The TTP then attempts to download the file from the Internet over this secure tunnel and verify the contents. It then kills the ngrok process, closing the tunnel. If the host is protected, the ngrok agent process should be blocked or killed.
Note that this TTP may bypass firewall restrictions and expose the host to the Internet. It is recommended to test this TTP in a sandboxed environment.
To protect yourself from ngrok, you should monitor for ngrok processes on hosts in your environment and kill unexpected instances, monitor network traffic for connections to ngrok infrastructure, and block outbound connections to ngrok infrastructure if your environment is not using ngrok. Finally, Windows Security Events may contain additional artifacts to help establish if ngrok is being used in your environment.
Check out the TTP Is my host protected against ngrok? on the Prelude chains website.
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg
Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg
David: https://twitter.com/privateducky
Alex: https://twitter.com/khyberspache
Octavia: https://twitter.com/VVX7
Waseem: https://twitter.com/gerbsec