Analytics Story: Reverse Network Proxy
Description
The following analytic story describes applications that may be abused to reverse proxy back into an organization, either for persistence or remote access.
Why it matters
This analytic story covers tools like Ngrok which is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. Ngrok in particular has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration. There are many open source and closed/paid that fall into this reverse proxy category. The analytic story and complemented analytics will be released as more are identified.
Detections
| Name | Technique | Type |
|---|---|---|
| Windows Ngrok Reverse Proxy Usage | Proxy, Web Service, Protocol Tunneling | Anomaly |
| Windows Devtunnels Image Loaded | Proxy | Anomaly |
| Ngrok Reverse Proxy on Network | Proxy, Web Service, Protocol Tunneling | Anomaly |
| Windows Potential Cloudflared Network Connection | Protocol Tunneling | Hunting |
| Windows Devtunnels Execution | Proxy | Anomaly |
| Windows Potential Cloudflared Tunnel Execution | Protocol Tunneling | Anomaly |
| Linux Ngrok Reverse Proxy Usage | Proxy, Web Service, Protocol Tunneling | Anomaly |
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| CrowdStrike ProcessRollup2 | Other | crowdstrike:events:sensor |
crowdstrike |
| Sysmon EventID 1 |  Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Windows Event Log Security 4688 | Windows |
XmlWinEventLog |
XmlWinEventLog:Security |
| Sysmon EventID 7 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 22 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 3 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon for Linux EventID 1 |  Linux |
sysmon:linux |
Syslog:Linux-Sysmon/Operational |
References
- https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf
- https://attack.mitre.org/software/S0508/
Source: GitHub | Version: 2