Ngrok Reverse Tunnel Without Installation - Windows

Rule Info

Name
Ngrok Reverse Tunnel Without Installation - Windows
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the usage of ngrok reverse tunnel via SSH without installation of ngrok, which could be used to expose internal services to the internet. Adversaries may use ngrok to create reverse tunnels to bypass network restrictions and facilitate lateral movement or data exfiltration.
Reference
https://x.com/hakluke/status/1976810680008298740?s=12&t=C0_T_re0wRP_NfKa27Xw9w
Date
2025-10-15 00:00:00
Modified
None
Id
5a02571e-307d-4e9d-b322-92c4b10e1e0f
Tags
attack.exfiltration attack.command-and-control attack.t1567 attack.t1568.002 attack.t1572 attack.t1090 attack.t1102 attack.s0508
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022