Analytics Story: Reverse Network Proxy

Description

The following analytic story describes applications that may be abused to reverse proxy back into an organization, either for persistence or remote access.

Why it matters

This analytic story covers tools like Ngrok which is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. Ngrok in particular has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration. There are many open source and closed/paid that fall into this reverse proxy category. The analytic story and complemented analytics will be released as more are identified.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Linux Ngrok Reverse Proxy Usage Protocol Tunneling, Proxy, Web Service Anomaly
Windows Ngrok Reverse Proxy Usage Protocol Tunneling, Proxy, Web Service Anomaly
Ngrok Reverse Proxy on Network Protocol Tunneling, Proxy, Web Service Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References


Source: GitHub | Version: 1