Add Ligolo-ng tunneling tool detection

[SecMab]

Detects Ligolo-ng agent and proxy execution for network pivoting

• MITRE ATT&CK: T1572 (Protocol Tunneling)
• Covers renamed binaries via OriginalFileName field
• Addresses detection gap for modern tunneling tools

Summary of the Pull Request

This PR adds detection for Ligolo-ng, a modern tunneling tool used for network pivoting. Currently, SigmaHQ has no coverage for this tool despite its widespread use in penetration testing and adoption by threat actors.

Changelog

new: Ligolo-ng Tunneling Tool Execution

Example Log Event

N/A - New detection rule (not a false positive fix)

Fixed Issues

N/A - New rule submission

SigmaHQ Rule Creation Conventions

• Followed SigmaHQ naming conventions
• Applied proper MITRE ATT&CK tagging (T1572)
• Used unique UUID v4 identifier
• Set status to 'experimental' for new rule

[swachchhanda000]

Hi @SecMab,

Thank you for your contribution!. keep them coming.

However, Before we start with PR review, please make sure:

1. Your rule follow the sigma standard specification . You can also check related rules which are already merged on the repo.
2. All automated checks and actions are passing

PSA: We also appreciate corresponding evtx log for regression test.

[frack113]

You have to fix your yaml to pass the workflow:

======================
= Linting YAML files =
======================
Error: /windows/process_creation/proc_creation_win_hktl_ligolo_ng.yml:19:13: [error] wrong indentation: expected 14 but found 12 (indentation)
Error: Process completed with exit code 1.

[SecMab]

EVTX Samples for Regression Testing.zip

Attached Sysmon Event ID 1 (Process Creation) logs from test environment.

Test Scenarios Executed:

File	Test Case	Detection
Agent-with-connect flag.evtx	agent.exe -connect	selection_img + selection_cli
Proxy-with-selfcert flag.evtx	proxy.exe -selfcert	selection_img + selection_cli
VariousCommand-Line_Flags.evtx	Multiple CLI flag combinations	selection_cli
VariousCommand-Line_Flags_2.evtx	Additional CLI flag tests	selection_cli
csrssEXE_...evtx	Renamed binary (csrss.exe)	selection_cli
svchostEXE_...evtx	Renamed binary (svchost.exe)	selection_cli

Key Findings:

• ✅ selection_img: Detects original agent.exe and proxy.exe filenames
• ✅ selection_cli: Detects -connect, -selfcert, and -ignore-cert flags
• ℹ️ selection_originalfilename: OriginalFileName field is empty in Ligolo-ng PE headers, but renamed binaries are still detected via selection_cli

Environment:

• Windows 11 with Sysmon
• Ligolo-ng v0.6.2 (Core detection logic remains consistent across versions up to v0.8.2)

Future Improvements:

• Daemon mode flags (--daemon, -d). It is not critical for initial rule.
• Config file detection (Sysmon ID 11), is on roadmap for separate rule.

All test scenarios successfully detected by the rule.

FYI @swachchhanda000 @frack113

[frack113]

many tools use that type of cli option.
You can not have a high rule with many FP.
Look at https://github.com/SigmaHQ/sigma/blob/6fe7343bf79306884b05837d5e03bcbcb141ce50/rules/windows/process_creation/proc_creation_win_nltest_recon.yml as example.

[swachchhanda000]

Suggested change

	- '\agent.exe'
	- '\proxy.exe'

These names are also very generic. When writing a rule about hktl,
we try to use the very specific process names, originalfilename or imphash.

In some cases, we also use command lines that may include combinations of flags or any specific strings which is unique to that specific tool only.

Please have a look at other HKTL or PUA rules on the repo for better understanding and make the changes accordingly.
Thanks

[SecMab]

Rule Updated - False Positive Reduction

Thank you @frack113 and @swachchhanda000 for the excellent feedback! I've refactored the rule following your guidance and studied similar rules in the repo.

Changes Made

1. AND Logic Implementation (addressing @frack113's feedback)

• Generic process names (agent.exe, proxy.exe) now require specific CLI flags
• Changed from 1 of selection_* to (img AND cli) combinations
• Pattern follows nltest_recon.yml approach

2. Tool-Specific Detection (addressing @swachchhanda000's feedback)

• Separated agent and proxy detection with their unique flags
• Agent: -connect, -ignore-cert (connection flags)
• Proxy: -selfcert, -laddr, -autocert (server flags)
• Added "ligolo" keyword fallback for renamed/relocated binaries

3. CLI Switch Spacing

• Added spaces following patterns from Evil-WinRM, Chisel, and Exchange rules
• Flags with values: -connect (space before + after)
• Boolean flags: -ignore-cert (space before only)

4. Additional Improvements

• Added attack.t1090.001 (Internal Proxy) MITRE tag
• Added Kali Linux tools reference

This approach maintains level: high while significantly reducing false positives by requiring both process identification AND tool-specific command-line arguments.

[swachchhanda000]

This seems like the best option possible, but i think the selection might still be prone to FPS issues? What are your thoughts on this, @nasbench?