Ngrok Reverse Proxy on Network ASIM DNS Solution
| Id | 50b0dfb7-2c94-4eaf-a332-a5936d78c263 |
| Rulename | Ngrok Reverse Proxy on Network (ASIM DNS Solution) |
| Description | This detection identifies the top four Ngrok domains from DNS resolution. Ngrok reverse proxy can bypass network defense. While not inherently harmful, it has been used for malicious activities recently. |
| Severity | Medium |
| Tactics | CommandAndControl |
| Techniques | T1572 T1090 T1102 |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/NgrokReverseProxyOnNetwork.yaml |
| Version | 1.0.0 |
| Arm template | 50b0dfb7-2c94-4eaf-a332-a5936d78c263.json |
// Define a list of Ngrok domains
let NgrokDomains = dynamic(["ngrok.com", "ngrok.io", "ngrok", "tunnel.com", "korgn", "lennut.com"]);
// Query the _Im_Dns function for the past 1 hour
_Im_Dns(starttime=ago(1h))
| where isnotempty(DnsQuery) // Filter out empty DNS queries
| where DnsQuery has_any (NgrokDomains) // Filter DNS queries that match any of the Ngrok domains
| summarize Starttime = min(EventStartTime),Endtime=max(EventEndTime),EventsCount=sum(EventCount),EventResults=make_set(EventResult,4) by DnsQuery, Domain, SrcIpAddr, Dvc
// Summarize the data by Domain, DNS query, source IP address, and device Dvc
name: Ngrok Reverse Proxy on Network (ASIM DNS Solution)
relevantTechniques:
- T1572
- T1090
- T1102
eventGroupingSettings:
aggregationKind: AlertPerResult
requiredDataConnectors: []
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/NgrokReverseProxyOnNetwork.yaml
query: |
// Define a list of Ngrok domains
let NgrokDomains = dynamic(["ngrok.com", "ngrok.io", "ngrok", "tunnel.com", "korgn", "lennut.com"]);
// Query the _Im_Dns function for the past 1 hour
_Im_Dns(starttime=ago(1h))
| where isnotempty(DnsQuery) // Filter out empty DNS queries
| where DnsQuery has_any (NgrokDomains) // Filter DNS queries that match any of the Ngrok domains
| summarize Starttime = min(EventStartTime),Endtime=max(EventEndTime),EventsCount=sum(EventCount),EventResults=make_set(EventResult,4) by DnsQuery, Domain, SrcIpAddr, Dvc
// Summarize the data by Domain, DNS query, source IP address, and device Dvc
tactics:
- CommandAndControl
description: |
'This detection identifies the top four Ngrok domains from DNS resolution. Ngrok reverse proxy can bypass network defense. While not inherently harmful, it has been used for malicious activities recently.'
entityMappings:
- fieldMappings:
- columnName: SrcIpAddr
identifier: Address
entityType: IP
- fieldMappings:
- columnName: Domain
identifier: DomainName
entityType: DNS
queryFrequency: 1h
triggerOperator: gt
version: 1.0.0
queryPeriod: 1h
status: Available
kind: Scheduled
severity: Medium
triggerThreshold: 0
id: 50b0dfb7-2c94-4eaf-a332-a5936d78c263
tags:
- Schema: ASimDns
SchemaVersion: 0.1.6
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/50b0dfb7-2c94-4eaf-a332-a5936d78c263')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/50b0dfb7-2c94-4eaf-a332-a5936d78c263')]",
"properties": {
"alertRuleTemplateName": "50b0dfb7-2c94-4eaf-a332-a5936d78c263",
"customDetails": null,
"description": "'This detection identifies the top four Ngrok domains from DNS resolution. Ngrok reverse proxy can bypass network defense. While not inherently harmful, it has been used for malicious activities recently.'\n",
"displayName": "Ngrok Reverse Proxy on Network (ASIM DNS Solution)",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
}
]
},
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "Domain",
"identifier": "DomainName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/NgrokReverseProxyOnNetwork.yaml",
"query": "// Define a list of Ngrok domains\nlet NgrokDomains = dynamic([\"ngrok.com\", \"ngrok.io\", \"ngrok\", \"tunnel.com\", \"korgn\", \"lennut.com\"]);\n// Query the _Im_Dns function for the past 1 hour\n_Im_Dns(starttime=ago(1h))\n| where isnotempty(DnsQuery) // Filter out empty DNS queries\n| where DnsQuery has_any (NgrokDomains) // Filter DNS queries that match any of the Ngrok domains\n| summarize Starttime = min(EventStartTime),Endtime=max(EventEndTime),EventsCount=sum(EventCount),EventResults=make_set(EventResult,4) by DnsQuery, Domain, SrcIpAddr, Dvc\n// Summarize the data by Domain, DNS query, source IP address, and device Dvc\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl"
],
"tags": [
{
"Schema": "ASimDns",
"SchemaVersion": "0.1.6"
}
],
"techniques": [
"T1090",
"T1102",
"T1572"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}