Add Ligolo-ng tunneling tool detection

[SecMab]

Detects Ligolo-ng agent and proxy execution for network pivoting

• MITRE ATT&CK: T1572 (Protocol Tunneling)
• Covers renamed binaries via OriginalFileName field
• Addresses detection gap for modern tunneling tools

Summary of the Pull Request

This PR adds detection for Ligolo-ng, a modern tunneling tool used for network pivoting. Currently, SigmaHQ has no coverage for this tool despite its widespread use in penetration testing and adoption by threat actors.

Changelog

new: Ligolo-ng Tunneling Tool Execution

Example Log Event

N/A - New detection rule (not a false positive fix)

Fixed Issues

N/A - New rule submission

SigmaHQ Rule Creation Conventions

• Followed SigmaHQ naming conventions
• Applied proper MITRE ATT&CK tagging (T1572)
• Used unique UUID v4 identifier
• Set status to 'experimental' for new rule

[swachchhanda000]

Hi @SecMab,

Thank you for your contribution!. keep them coming.

However, Before we start with PR review, please make sure:

1. Your rule follow the sigma standard specification . You can also check related rules which are already merged on the repo.
2. All automated checks and actions are passing

PSA: We also appreciate corresponding evtx log for regression test.

[frack113]

You have to fix your yaml to pass the workflow:

======================
= Linting YAML files =
======================
Error: /windows/process_creation/proc_creation_win_hktl_ligolo_ng.yml:19:13: [error] wrong indentation: expected 14 but found 12 (indentation)
Error: Process completed with exit code 1.

[frack113]

Suggested change

- https://attack.mitre.org/techniques/T1572/

We use the tag for mitre in the repo as you did

[frack113]

Suggested change

	date: 2025/12/31
	date: 2025-12-31

Check the specification for more information

[SecMab]

EVTX Samples for Regression Testing.zip

Attached Sysmon Event ID 1 (Process Creation) logs from test environment.

Test Scenarios Executed:

File	Test Case	Detection
Agent-with-connect flag.evtx	agent.exe -connect	selection_img + selection_cli
Proxy-with-selfcert flag.evtx	proxy.exe -selfcert	selection_img + selection_cli
VariousCommand-Line_Flags.evtx	Multiple CLI flag combinations	selection_cli
VariousCommand-Line_Flags_2.evtx	Additional CLI flag tests	selection_cli
csrssEXE_...evtx	Renamed binary (csrss.exe)	selection_cli
svchostEXE_...evtx	Renamed binary (svchost.exe)	selection_cli

Key Findings:

• ✅ selection_img: Detects original agent.exe and proxy.exe filenames
• ✅ selection_cli: Detects -connect, -selfcert, and -ignore-cert flags
• ℹ️ selection_originalfilename: OriginalFileName field is empty in Ligolo-ng PE headers, but renamed binaries are still detected via selection_cli

Environment:

• Windows 11 with Sysmon
• Ligolo-ng v0.6.2 (Core detection logic remains consistent across versions up to v0.8.2)

Future Improvements:

• Daemon mode flags (--daemon, -d). It is not critical for initial rule.
• Config file detection (Sysmon ID 11), is on roadmap for separate rule.

All test scenarios successfully detected by the rule.

FYI @swachchhanda000 @frack113

[frack113]

many tools use that type of cli option.
You can not have a high rule with many FP.
Look at https://github.com/SigmaHQ/sigma/blob/6fe7343bf79306884b05837d5e03bcbcb141ce50/rules/windows/process_creation/proc_creation_win_nltest_recon.yml as example.

[swachchhanda000]

Suggested change

	- '\agent.exe'
	- '\proxy.exe'

These names are also very generic. When writing a rule about hktl,
we try to use the very specific process names, originalfilename or imphash.

In some cases, we also use command lines that may include combinations of flags or any specific strings which is unique to that specific tool only.

Please have a look at other HKTL or PUA rules on the repo for better understanding and make the changes accordingly.
Thanks