Skip to content

Add Ligolo-ng tunneling tool detection #5818

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
SecMab wants to merge 13 commits into
base: master
Choose a base branch
from
Open

Add Ligolo-ng tunneling tool detection #5818

Changes from 1 commit
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
1c9f505
Add Ligolo-ng tunneling tool detection
SecMab Dec 31, 2025
e849615
Apply reviewer feedback - fix date format, YAML indentation, remove M…
SecMab Jan 1, 2026
5e4efbd
Refactor: AND logic + CLI spacing for FP reduction
SecMab Jan 26, 2026
ffb70de
---
SecMab Jan 26, 2026
a7bde01
fix: logic changes and new dns rule
swachchhanda000 Feb 19, 2026
ff55e9d
fix: yamlinting
swachchhanda000 Feb 19, 2026
bddad24
fix: rules
swachchhanda000 Feb 19, 2026
18e200e
fix: add missing flag
swachchhanda000 Feb 19, 2026
e769d9f
add regression test
swachchhanda000 Feb 19, 2026
b5d2226
Merge branch 'master' into SecMab-patch-1
swachchhanda000 Feb 19, 2026
d5c71d7
fix: trailing whitespace
swachchhanda000 Feb 19, 2026
2aa1157
fix: author
swachchhanda000 Feb 19, 2026
a2e3459
Apply suggestions from code review
swachchhanda000 Feb 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions rules/windows/process_creation/proc_creation_win_hktl_ligolo_ng.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
title: Ligolo-ng Tunneling Tool Execution
id: 0074da8e-5b3f-456b-9bf9-70beaf4bfb0d
status: experimental
description: Detects execution of Ligolo-ng agent or proxy, a tunneling tool commonly used for network pivoting in penetration testing and by threat actors
references:
- https://github.com/nicocha30/ligolo-ng
- https://attack.mitre.org/techniques/T1572/
author: MAB
date: 2025/12/31
tags:
- attack.command_and_control
- attack.t1572
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\agent.exe'
- '\proxy.exe'
Copy link
Collaborator

@swachchhanda000 swachchhanda000 Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- '\agent.exe'
- '\proxy.exe'

These names are also very generic. When writing a rule about hktl,
we try to use the very specific process names, originalfilename or imphash.

In some cases, we also use command lines that may include combinations of flags or any specific strings which is unique to that specific tool only.

Please have a look at other HKTL or PUA rules on the repo for better understanding and make the changes accordingly.
Thanks

- '\ligolo-agent.exe'
- '\ligolo-proxy.exe'
- OriginalFileName|contains: 'ligolo'
selection_cli:
CommandLine|contains:
- '-connect'
- '-ignore-cert'
- '-selfcert'
Comment on lines +27 to +35
Copy link
Member

@frack113 frack113 Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

many tools use that type of cli option.
You can not have a high rule with many FP.
Look at https://github.com/SigmaHQ/sigma/blob/6fe7343bf79306884b05837d5e03bcbcb141ce50/rules/windows/process_creation/proc_creation_win_nltest_recon.yml as example.

Comment on lines +25 to +35
Copy link
Collaborator

@swachchhanda000 swachchhanda000 Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems like the best option possible, but i think the selection might still be prone to FPS issues? What are your thoughts on this, @nasbench?

- 'ligolo'
condition: selection_img or selection_cli
falsepositives:
- Legitimate penetration testing activities
- Red team exercises
level: high
Loading