The following analytic story describes applications that may be abused to reverse proxy back into an organization, either for persistence or remote access.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint, Network_Resolution
- Last Updated: 2022-11-16
- Author: Michael Haag, Splunk
- ID: 265e4127-21fd-43e4-adac-ec5d12274111
This analytic story covers tools like Ngrok which is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. Ngrok in particular has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration. There are many open source and closed/paid that fall into this reverse proxy category. The analytic story and complemented analytics will be released as more are identified.
source | version: 1