Ngrok Reverse Proxy on Network ASIM DNS Solution
| Id | 50b0dfb7-2c94-4eaf-a332-a5936d78c263 |
| Rulename | Ngrok Reverse Proxy on Network (ASIM DNS Solution) |
| Description | This detection identifies the top four Ngrok domains from DNS resolution. Ngrok reverse proxy can bypass network defense. While not inherently harmful, it has been used for malicious activities recently. |
| Severity | Medium |
| Tactics | CommandAndControl |
| Techniques | T1572 T1090 T1102 |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/NgrokReverseProxyOnNetwork.yaml |
| Version | 1.0.0 |
| Arm template | 50b0dfb7-2c94-4eaf-a332-a5936d78c263.json |
// Define a list of Ngrok domains
let NgrokDomains = dynamic(["ngrok.com", "ngrok.io", "ngrok", "tunnel.com", "korgn", "lennut.com"]);
// Query the _Im_Dns function for the past 1 hour
_Im_Dns(starttime=ago(1h))
| where isnotempty(DnsQuery) // Filter out empty DNS queries
| where DnsQuery has_any (NgrokDomains) // Filter DNS queries that match any of the Ngrok domains
| summarize Starttime = min(EventStartTime),Endtime=max(EventEndTime),EventsCount=sum(EventCount),EventResults=make_set(EventResult,4) by DnsQuery, Domain, SrcIpAddr, Dvc
// Summarize the data by Domain, DNS query, source IP address, and device Dvc
triggerThreshold: 0
query: |
// Define a list of Ngrok domains
let NgrokDomains = dynamic(["ngrok.com", "ngrok.io", "ngrok", "tunnel.com", "korgn", "lennut.com"]);
// Query the _Im_Dns function for the past 1 hour
_Im_Dns(starttime=ago(1h))
| where isnotempty(DnsQuery) // Filter out empty DNS queries
| where DnsQuery has_any (NgrokDomains) // Filter DNS queries that match any of the Ngrok domains
| summarize Starttime = min(EventStartTime),Endtime=max(EventEndTime),EventsCount=sum(EventCount),EventResults=make_set(EventResult,4) by DnsQuery, Domain, SrcIpAddr, Dvc
// Summarize the data by Domain, DNS query, source IP address, and device Dvc
relevantTechniques:
- T1572
- T1090
- T1102
tactics:
- CommandAndControl
entityMappings:
- fieldMappings:
- identifier: Address
columnName: SrcIpAddr
entityType: IP
- fieldMappings:
- identifier: DomainName
columnName: Domain
entityType: DNS
requiredDataConnectors: []
kind: Scheduled
queryPeriod: 1h
eventGroupingSettings:
aggregationKind: AlertPerResult
severity: Medium
id: 50b0dfb7-2c94-4eaf-a332-a5936d78c263
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/NgrokReverseProxyOnNetwork.yaml
version: 1.0.0
description: |
'This detection identifies the top four Ngrok domains from DNS resolution. Ngrok reverse proxy can bypass network defense. While not inherently harmful, it has been used for malicious activities recently.'
triggerOperator: gt
tags:
- Schema: ASimDns
SchemaVersion: 0.1.6
name: Ngrok Reverse Proxy on Network (ASIM DNS Solution)
status: Available
queryFrequency: 1h
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/50b0dfb7-2c94-4eaf-a332-a5936d78c263')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/50b0dfb7-2c94-4eaf-a332-a5936d78c263')]",
"properties": {
"alertRuleTemplateName": "50b0dfb7-2c94-4eaf-a332-a5936d78c263",
"customDetails": null,
"description": "'This detection identifies the top four Ngrok domains from DNS resolution. Ngrok reverse proxy can bypass network defense. While not inherently harmful, it has been used for malicious activities recently.'\n",
"displayName": "Ngrok Reverse Proxy on Network (ASIM DNS Solution)",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
}
]
},
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "Domain",
"identifier": "DomainName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DNS Essentials/Analytic Rules/NgrokReverseProxyOnNetwork.yaml",
"query": "// Define a list of Ngrok domains\nlet NgrokDomains = dynamic([\"ngrok.com\", \"ngrok.io\", \"ngrok\", \"tunnel.com\", \"korgn\", \"lennut.com\"]);\n// Query the _Im_Dns function for the past 1 hour\n_Im_Dns(starttime=ago(1h))\n| where isnotempty(DnsQuery) // Filter out empty DNS queries\n| where DnsQuery has_any (NgrokDomains) // Filter DNS queries that match any of the Ngrok domains\n| summarize Starttime = min(EventStartTime),Endtime=max(EventEndTime),EventsCount=sum(EventCount),EventResults=make_set(EventResult,4) by DnsQuery, Domain, SrcIpAddr, Dvc\n// Summarize the data by Domain, DNS query, source IP address, and device Dvc\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl"
],
"tags": [
{
"Schema": "ASimDns",
"SchemaVersion": "0.1.6"
}
],
"techniques": [
"T1090",
"T1102",
"T1572"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}