Ngrok Reverse Proxy on Network ASIM DNS Solution
| Id | 50b0dfb7-2c94-4eaf-a332-a5936d78c263 |
| Rulename | Ngrok Reverse Proxy on Network (ASIM DNS Solution) |
| Description | This detection identifies the top four Ngrok domains from DNS resolution. Ngrok reverse proxy can bypass network defense. While not inherently harmful, it has been used for malicious activities recently. |
| Severity | Medium |
| Tactics | CommandAndControl |
| Techniques | T1572 T1090 T1102 |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/NgrokReverseProxyOnNetwork.yaml |
| Version | 1.0.0 |
| Arm template | 50b0dfb7-2c94-4eaf-a332-a5936d78c263.json |
// Define a list of Ngrok domains
let NgrokDomains = dynamic(["ngrok.com", "ngrok.io", "ngrok", "tunnel.com", "korgn", "lennut.com"]);
// Query the _Im_Dns function for the past 1 hour
_Im_Dns(starttime=ago(1h))
| where isnotempty(DnsQuery) // Filter out empty DNS queries
| where DnsQuery has_any (NgrokDomains) // Filter DNS queries that match any of the Ngrok domains
| summarize Starttime = min(EventStartTime),Endtime=max(EventEndTime),EventsCount=sum(EventCount),EventResults=make_set(EventResult,4) by DnsQuery, Domain, SrcIpAddr, Dvc
// Summarize the data by Domain, DNS query, source IP address, and device Dvc
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/NgrokReverseProxyOnNetwork.yaml
query: |
// Define a list of Ngrok domains
let NgrokDomains = dynamic(["ngrok.com", "ngrok.io", "ngrok", "tunnel.com", "korgn", "lennut.com"]);
// Query the _Im_Dns function for the past 1 hour
_Im_Dns(starttime=ago(1h))
| where isnotempty(DnsQuery) // Filter out empty DNS queries
| where DnsQuery has_any (NgrokDomains) // Filter DNS queries that match any of the Ngrok domains
| summarize Starttime = min(EventStartTime),Endtime=max(EventEndTime),EventsCount=sum(EventCount),EventResults=make_set(EventResult,4) by DnsQuery, Domain, SrcIpAddr, Dvc
// Summarize the data by Domain, DNS query, source IP address, and device Dvc
description: |
'This detection identifies the top four Ngrok domains from DNS resolution. Ngrok reverse proxy can bypass network defense. While not inherently harmful, it has been used for malicious activities recently.'
severity: Medium
requiredDataConnectors: []
eventGroupingSettings:
aggregationKind: AlertPerResult
tags:
- Schema: ASimDns
SchemaVersion: 0.1.6
triggerThreshold: 0
entityMappings:
- entityType: IP
fieldMappings:
- columnName: SrcIpAddr
identifier: Address
- entityType: DNS
fieldMappings:
- columnName: Domain
identifier: DomainName
tactics:
- CommandAndControl
version: 1.0.0
relevantTechniques:
- T1572
- T1090
- T1102
triggerOperator: gt
name: Ngrok Reverse Proxy on Network (ASIM DNS Solution)
id: 50b0dfb7-2c94-4eaf-a332-a5936d78c263
status: Available
kind: Scheduled
queryFrequency: 1h
queryPeriod: 1h
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/50b0dfb7-2c94-4eaf-a332-a5936d78c263')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/50b0dfb7-2c94-4eaf-a332-a5936d78c263')]",
"properties": {
"alertRuleTemplateName": "50b0dfb7-2c94-4eaf-a332-a5936d78c263",
"customDetails": null,
"description": "'This detection identifies the top four Ngrok domains from DNS resolution. Ngrok reverse proxy can bypass network defense. While not inherently harmful, it has been used for malicious activities recently.'\n",
"displayName": "Ngrok Reverse Proxy on Network (ASIM DNS Solution)",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
}
]
},
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "Domain",
"identifier": "DomainName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/NgrokReverseProxyOnNetwork.yaml",
"query": "// Define a list of Ngrok domains\nlet NgrokDomains = dynamic([\"ngrok.com\", \"ngrok.io\", \"ngrok\", \"tunnel.com\", \"korgn\", \"lennut.com\"]);\n// Query the _Im_Dns function for the past 1 hour\n_Im_Dns(starttime=ago(1h))\n| where isnotempty(DnsQuery) // Filter out empty DNS queries\n| where DnsQuery has_any (NgrokDomains) // Filter DNS queries that match any of the Ngrok domains\n| summarize Starttime = min(EventStartTime),Endtime=max(EventEndTime),EventsCount=sum(EventCount),EventResults=make_set(EventResult,4) by DnsQuery, Domain, SrcIpAddr, Dvc\n// Summarize the data by Domain, DNS query, source IP address, and device Dvc\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl"
],
"tags": [
{
"Schema": "ASimDns",
"SchemaVersion": "0.1.6"
}
],
"techniques": [
"T1090",
"T1102",
"T1572"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}