Ngrok Reverse Proxy on Network ASIM DNS Solution
| Id | 50b0dfb7-2c94-4eaf-a332-a5936d78c263 |
| Rulename | Ngrok Reverse Proxy on Network (ASIM DNS Solution) |
| Description | This detection identifies the top four Ngrok domains from DNS resolution. Ngrok reverse proxy can bypass network defense. While not inherently harmful, it has been used for malicious activities recently. |
| Severity | Medium |
| Tactics | CommandAndControl |
| Techniques | T1572 T1090 T1102 |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/NgrokReverseProxyOnNetwork.yaml |
| Version | 1.0.0 |
| Arm template | 50b0dfb7-2c94-4eaf-a332-a5936d78c263.json |
// Define a list of Ngrok domains
let NgrokDomains = dynamic(["ngrok.com", "ngrok.io", "ngrok", "tunnel.com", "korgn", "lennut.com"]);
// Query the _Im_Dns function for the past 1 hour
_Im_Dns(starttime=ago(1h))
| where isnotempty(DnsQuery) // Filter out empty DNS queries
| where DnsQuery has_any (NgrokDomains) // Filter DNS queries that match any of the Ngrok domains
| summarize Starttime = min(EventStartTime),Endtime=max(EventEndTime),EventsCount=sum(EventCount),EventResults=make_set(EventResult,4) by DnsQuery, Domain, SrcIpAddr, Dvc
// Summarize the data by Domain, DNS query, source IP address, and device Dvc
id: 50b0dfb7-2c94-4eaf-a332-a5936d78c263
tactics:
- CommandAndControl
queryPeriod: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/NgrokReverseProxyOnNetwork.yaml
eventGroupingSettings:
aggregationKind: AlertPerResult
triggerThreshold: 0
name: Ngrok Reverse Proxy on Network (ASIM DNS Solution)
query: |
// Define a list of Ngrok domains
let NgrokDomains = dynamic(["ngrok.com", "ngrok.io", "ngrok", "tunnel.com", "korgn", "lennut.com"]);
// Query the _Im_Dns function for the past 1 hour
_Im_Dns(starttime=ago(1h))
| where isnotempty(DnsQuery) // Filter out empty DNS queries
| where DnsQuery has_any (NgrokDomains) // Filter DNS queries that match any of the Ngrok domains
| summarize Starttime = min(EventStartTime),Endtime=max(EventEndTime),EventsCount=sum(EventCount),EventResults=make_set(EventResult,4) by DnsQuery, Domain, SrcIpAddr, Dvc
// Summarize the data by Domain, DNS query, source IP address, and device Dvc
severity: Medium
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1572
- T1090
- T1102
tags:
- SchemaVersion: 0.1.6
Schema: ASimDns
queryFrequency: 1h
requiredDataConnectors: []
description: |
'This detection identifies the top four Ngrok domains from DNS resolution. Ngrok reverse proxy can bypass network defense. While not inherently harmful, it has been used for malicious activities recently.'
status: Available
version: 1.0.0
entityMappings:
- fieldMappings:
- columnName: SrcIpAddr
identifier: Address
entityType: IP
- fieldMappings:
- columnName: Domain
identifier: DomainName
entityType: DNS
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/50b0dfb7-2c94-4eaf-a332-a5936d78c263')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/50b0dfb7-2c94-4eaf-a332-a5936d78c263')]",
"properties": {
"alertRuleTemplateName": "50b0dfb7-2c94-4eaf-a332-a5936d78c263",
"customDetails": null,
"description": "'This detection identifies the top four Ngrok domains from DNS resolution. Ngrok reverse proxy can bypass network defense. While not inherently harmful, it has been used for malicious activities recently.'\n",
"displayName": "Ngrok Reverse Proxy on Network (ASIM DNS Solution)",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
}
]
},
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "Domain",
"identifier": "DomainName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/NgrokReverseProxyOnNetwork.yaml",
"query": "// Define a list of Ngrok domains\nlet NgrokDomains = dynamic([\"ngrok.com\", \"ngrok.io\", \"ngrok\", \"tunnel.com\", \"korgn\", \"lennut.com\"]);\n// Query the _Im_Dns function for the past 1 hour\n_Im_Dns(starttime=ago(1h))\n| where isnotempty(DnsQuery) // Filter out empty DNS queries\n| where DnsQuery has_any (NgrokDomains) // Filter DNS queries that match any of the Ngrok domains\n| summarize Starttime = min(EventStartTime),Endtime=max(EventEndTime),EventsCount=sum(EventCount),EventResults=make_set(EventResult,4) by DnsQuery, Domain, SrcIpAddr, Dvc\n// Summarize the data by Domain, DNS query, source IP address, and device Dvc\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl"
],
"tags": [
{
"Schema": "ASimDns",
"SchemaVersion": "0.1.6"
}
],
"techniques": [
"T1090",
"T1102",
"T1572"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}