Site icon Sophos News

Rapid Response: The Ngrok Incident Guide

This article is part of a series of step-by-step incident guides created by the Sophos Rapid Response team to help incident responders and security-operations teams identify and remediate widely seen threat tools, techniques, and behaviors.

What Is Ngrok and How Is It Used by Threat Actors? 

Ngrok is a cross-platform tool that exposes local network ports to the internet via secure tunneling.  It provides secure tunnels between the internet and computer systems that exist behind a firewall or Network Access Translation (NAT) solution, and which use the Transmission Control Protocol (TCP). Once a port has been chosen as the desired communication channel, the necessary tunneling configurations are set up within the ngrok process. Ngrok’s cloud services facilitate two-way network traffic that is relayed back to the running ngrok process and forwards the network traffic to the specified local port. 

A limited version of the tool is freely available at ngrok.com for noncommercial use, and a fuller-fledged version can be licensed for commercial use. Unfortunately, it also figures into various attack strategies when malicious actors use its tunneling capabilities to connect to command-and-control (C2) servers, download malicious code, and so forth while bypassing network protections. 

Other likely reasons for its popularity with attackers include:   

Incident Guide Context 

This guide only addresses the investigation and mitigation of incidents involving the detection of ngrok on the network. We strongly recommend that responders ascertain whether ngrok is in use on their network for legitimate purposes before proceeding with mitigation. 

The guide uses features of Sophos XDR, such as Live Discover and Live Response, to illustrate the steps defenders can take. Security professionals that are not using Sophos XDR but have access to other tools such as OSQuery can adapt and apply the information to their needs. 

Queries and commands referenced in the guide are some of the methods used by the Sophos Rapid Response team during incident engagements. They are recommendations only; there will be other ways of accomplishing each task. 

Any instructions to remove items should be double-checked to prevent the accidental removal of legitimate client configurations. 

Investigate 

The goal of this section is to establish if there are any Indicators of Compromise (IOC) on the affected system that are related to ngrok. In subsequent sections we will provide steps to analyze and respond to the results of investigation. For purposes of illustration, we will draw on two separate response scenarios in these sections. We will occasionally use green text to draw attention to significant details. 

Check for Live Processes 

First, run a query on the network to check the currently running processes.  

Sophos XDR customers can create and run new Live Discover queries to do this. If you are new to Live Discover, the help guide can assist you in putting those together. The basic steps are as follows: 

  1. Login to Sophos Central, then go to Threat Analysis Center > Live Discover
  2. Enable “Designer Mode”
  3. Select “Create new query”
  4. Give your query a name and description and select a category under which to store it. Be sure to select “Live Endpoint”
  5. Copy the SQL details from the Rapid Response GitHub page: Process.01.0 – List running processes tool.txt
  6. Save the query

In our example, we ran some queries on DNS, HTTP, and PowerShell checking for any signs of ngrok. These are presented here along with the findings.

Moving on, we start to dig deeper in DNS, Journals, and other logged data. These options are presented here along with the findings.

Analyze

The following information is based on intelligence gathered during two incident response investigations in which ngrok was introduced to the targeted network and abused by attackers.

Incident One

Incident Two

Here, ngrok artifacts (based on ngrok TCP 3389 binding and payload retrieval via web protocols) were found. These are listed below along with their location. Values shown in green represent data that could be used to suggest ngrok presence / activity.

Respond

Now that we have information derived from investigation and analysis, we can respond to an unwanted instance of ngrok and clean up the network/endpoints, using Sophos Central (or other installed security solution and policies) to block the application. There are various ways to accomplish this.

Sophos Central has a global block list by hash (although only versions of ngrok that have hashes added would be blocked).

Microsoft AppLocker policies / rule sets concerning unsigned binaries can also be put in place to counter this, since the ngrok binary is currently not digitally signed.

Mitigation can also be handled at the proxy servers or firewalls (if reviewing DNS requests / TLS decryption packet inspection). Although ngrok binaries can differ in name, hash, location, and so forth, the initial network communications to use ngrok’s public infrastructure appear to be static. For example:

Likewise, for DNS requests, a similar approach could be adopted to block ngrok traffic and identify which machines were initiating the DNS requests. Note that as shown in various instances above, ngrok uses multiple top-level domains (.com, .io):

Before restoring from backup, remember to check that your backups are also clean.

Exit mobile version