Detection rules › Kusto Query Language
Ngrok Reverse Proxy on Network (ASIM DNS Solution)
'This detection identifies the top four Ngrok domains from DNS resolution. Ngrok reverse proxy can bypass network defense. While not inherently harmful, it has been used for malicious activities recently.'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Command & Control | T1090 Proxy, T1102 Web Service, T1572 Protocol Tunneling |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 22 | DNSEvent (DNS query) |
Stages and Predicates
Stage 1: source
_Im_Dns
Stage 2: where
DnsQuery is_not_null
Stage 3: where
DnsQuery match "NgrokDomains"
Stage 4: summarize
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
DnsQuery | match |
|