.. /ngrok
Star

Insiders as well as threat actors can ingress into an environment via ngrok, which functions as a reverse proxy. ngrok is no longer open source but the previous source code is still available (linked below).

Paths:

ngrok.exe (standalone executable)
ngrok (standalone executable)

Resources:

Acknowledgements:

Dan O'Day (@4n68r)
Kirill Magaskin (@k1rpI7ch)

Detections:

Domain: *.ngrok.com
Domain: *.ngrok.io
Domain: *.ngrok.dev
Domain: *.ngrok.app
Domain: *.ngrok.pro
Domain: *.ngrok.pizza
Domain: *.ngrok-agent.com
Domain: *.ngrok-free.app
Domain: *.ngrok-cname.com
Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_network_sigma.yml
Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_processes_sigma.yml

Install

Initial ngrok configuration.
```
ngrok authtoken 'AUTHTOKEN_GOES_HERE'
```
Use case
Configures ngrok to use specified authentication token.

Privileges required
User

Operating systems
Windows, Mac, Linux

Access

Sends connection to configured upstream service on port.
```
ngrok tcp|http <PORT>
```
Use case
Establishes reverse proxy via ngrok edge.

Privileges required
User

Operating systems
Windows, Mac, Linux