EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Ngrok Usage with Remote Desktop Service

Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour

MITRE ATT&CK

T1090
command-and-control

Detection Query

selection:
  EventID: 21
  Address|contains: "16777216"
condition: selection

Author

Florian Roth (Nextron Systems)

Created

2022-04-29

Data Sources

windowsterminalservices-localsessionmanager

Platforms

windows

References

Tags

attack.command-and-controlattack.t1090
Raw Content
title: Ngrok Usage with Remote Desktop Service
id: 64d51a51-32a6-49f0-9f3d-17e34d640272
status: test
description: Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour
references:
    - https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg
    - https://ngrok.com/
author: Florian Roth (Nextron Systems)
date: 2022-04-29
tags:
    - attack.command-and-control
    - attack.t1090
logsource:
    product: windows
    service: terminalservices-localsessionmanager
detection:
    selection:
        EventID: 21
        Address|contains: '16777216'
    condition: selection
falsepositives:
    - Unknown
level: high