Try in Splunk Security Cloud

Description

The following analytic story describes applications that may be abused to reverse proxy back into an organization, either for persistence or remote access.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Network_Resolution
  • Last Updated: 2022-11-16
  • Author: Michael Haag, Splunk
  • ID: 265e4127-21fd-43e4-adac-ec5d12274111

Narrative

This analytic story covers tools like Ngrok which is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. Ngrok in particular has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration. There are many open source and closed/paid that fall into this reverse proxy category. The analytic story and complemented analytics will be released as more are identified.

Detections

Name Technique Type
Linux Ngrok Reverse Proxy Usage Protocol Tunneling, Proxy, Web Service Anomaly
Ngrok Reverse Proxy on Network Protocol Tunneling, Proxy, Web Service Anomaly
Windows Ngrok Reverse Proxy Usage Protocol Tunneling, Proxy, Web Service Anomaly

Reference

source | version: 1