Detection rules › Splunk
Ngrok Reverse Proxy on Network
The following analytic detects DNS queries to common Ngrok domains, indicating potential use of the Ngrok reverse proxy tool. It leverages the Network Resolution datamodel to identify queries to domains such as ".ngrok.com" and ".ngrok.io". While Ngrok usage is not inherently malicious, it has been increasingly adopted by adversaries for covert communication and data exfiltration. If confirmed malicious, this activity could allow attackers to bypass network defenses, establish persistent connections, and exfiltrate sensitive data, posing a significant threat to the network's security.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Command & Control | T1090 Proxy, T1102 Web Service, T1572 Protocol Tunneling |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 22 | DNSEvent (DNS query) |
Stages and Predicates
Stage 1: tstats
tstats WHERE DNS.query IN ("*.ngrok.com", "*.ngrok.io", "korgn.*.lennut.com", "ngrok.*.tunnel.com") BY DNS.answer, DNS.answer_count, DNS.query, DNS.query_count, DNS.reply_code_id, DNS.src, DNS.vendor_product
Stage 2: search
search
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
DNS.query | in |
|