Add Ligolo-ng tunneling tool detection

regression_data/rules/windows/dns_query/dns_query_win_ligolo_ng/2a4f57b2-3c8e-4d91-a6f4-8b7e1c9d0f3a.json

@@ -0,0 +1,52 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 22,
+      "Version": 5,
+      "Level": 4,
+      "Task": 22,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-02-19T04:33:37.725098Z"
+        }
+      },
+      "EventRecordID": 138210,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3348,
+          "ThreadID": 4312
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-02-13 12:43:59.338",
+      "ProcessGuid": "0197231E-7D65-698E-E103-000000000F00",
+      "ProcessId": 6188,
+      "QueryName": "webui.ligolo.ng",
+      "QueryStatus": "9003",
+      "QueryResults": "-",
+      "Image": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}

regression_data/rules/windows/dns_query/dns_query_win_ligolo_ng/info.yml

@@ -0,0 +1,13 @@
+id: b9bd9c9c-c20b-41c3-b69f-7d5055e42319
+description: N/A
+date: 2026-02-19
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 2a4f57b2-3c8e-4d91-a6f4-8b7e1c9d0f3a
+      title: DNS Query to Ligolo-ng WebUI Domain
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/dns_query/dns_query_win_ligolo_ng/2a4f57b2-3c8e-4d91-a6f4-8b7e1c9d0f3a.evtx

regression_data/rules/windows/process_creation/proc_creation_win_hktl_ligolo_ng/0074da8e-5b3f-456b-9bf9-70beaf4bfb0d.json

@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-01-01T13:51:06.852220Z"
+        }
+      },
+      "EventRecordID": 979,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3464,
+          "ThreadID": 7448
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "Win11",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-01-01 13:51:06.851",
+      "ProcessGuid": "EBAE1502-7BCA-6956-ED02-000000000F00",
+      "ProcessId": 3016,
+      "Image": "C:\\Tools\\Ligolo\\agent.exe",
+      "FileVersion": "-",
+      "Description": "-",
+      "Product": "-",
+      "Company": "-",
+      "OriginalFileName": "-",
+      "CommandLine": "\"C:\\Tools\\Ligolo\\agent.exe\" -connect 127.0.0.1:11601 -ignore-cert",
+      "CurrentDirectory": "C:\\Tools\\Ligolo\\",
+      "User": "WIN11\\vboxuser",
+      "LogonGuid": "EBAE1502-7359-6956-666A-1E0000000000",
+      "LogonId": "0x1e6a66",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "High",
+      "Hashes": "MD5=C06551E7E0016A688D03FD9B414CFD76,SHA256=BB8D408A966628DAA0D1842E3F70A3A534DE7600C2B6484722D0B82956160F9E,IMPHASH=F0EA7B7844BBC5BFA9BB32EFDCEA957C",
+      "ParentProcessGuid": "EBAE1502-7A14-6956-B902-000000000F00",
+      "ParentProcessId": 1568,
+      "ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
+      "ParentCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"",
+      "ParentUser": "WIN11\\vboxuser"
+    }
+  }
+}

regression_data/rules/windows/process_creation/proc_creation_win_hktl_ligolo_ng/info.yml

@@ -0,0 +1,13 @@
+id: a6308f97-4c9b-4c8d-84be-9bd3607f8586
+description: N/A
+date: 2026-02-19
+author: MAB
+rule_metadata:
+    - id: 0074da8e-5b3f-456b-9bf9-70beaf4bfb0d
+      title: HackTool - Ligolo-ng Tunneling Tool Execution
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_ligolo_ng/0074da8e-5b3f-456b-9bf9-70beaf4bfb0d.evtx

rules/network/dns/net_dns_hktl_ligolo_ng.yml

@@ -0,0 +1,28 @@
+title: DNS Query to Hacktool Ligolo-ng WebUI Domain - Network
+id: fdc4968b-6476-41ab-8034-d370bff68723
+related:
+    - id: 2a4f57b2-3c8e-4d91-a6f4-8b7e1c9d0f3a
+      type: similar
+status: experimental
+description: |
+    Detects DNS queries to the Ligolo-ng WebUI domain, which may indicate the use of the Ligolo-ng tunneling tool's web interface for managing reverse tunnels.
+    This might indicate potential command-and-control activity or unauthorized use of the Ligolo-ng tool within the network, as the WebUI is commonly used for controlling and monitoring tunnels established by Ligolo-ng.
+    Threat actors may leverage Ligolo-ng for network pivoting and lateral movement, and DNS queries to its WebUI domain could be a sign of such activity.
+references:
+    - https://docs.ligolo-ng.io/
+    - https://github.com/nicocha30/ligolo-ng
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-02-19
+tags:
+    - attack.command-and-control
+    - attack.t1572
+    - attack.t1090
+logsource:
+    category: dns
+detection:
+    selection:
+        query: 'webui.ligolo.ng'
+    condition: selection
+falsepositives:
+    - Legitimate use of Ligolo-ng for remote management; should be rare in enterprise environments
+level: high

rules/windows/dns_query/dns_query_win_hktl_ligolo_ng.yml

@@ -0,0 +1,30 @@
+title: DNS Query to Hacktool Ligolo-ng WebUI Domain
+id: 2a4f57b2-3c8e-4d91-a6f4-8b7e1c9d0f3a
+related:
+    - id: fdc4968b-6476-41ab-8034-d370bff68723
+      type: similar
+status: experimental
+description: |
+    Detects DNS queries to the Ligolo-ng WebUI domain, which may indicate the use of the Ligolo-ng tunneling tool's web interface for managing reverse tunnels.
+    This might indicate potential command-and-control activity or unauthorized use of the Ligolo-ng tool within the network, as the WebUI is commonly used for controlling and monitoring tunnels established by Ligolo-ng.
+    Threat actors may leverage Ligolo-ng for network pivoting and lateral movement, and DNS queries to its WebUI domain could be a sign of such activity.
+references:
+    - https://docs.ligolo-ng.io/
+    - https://github.com/nicocha30/ligolo-ng
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-02-19
+tags:
+    - attack.command-and-control
+    - attack.t1572
+    - attack.t1090
+logsource:
+    category: dns_query
+    product: windows
+detection:
+    selection:
+        QueryName: 'webui.ligolo.ng'
+    condition: selection
+falsepositives:
+    - Legitimate use of Ligolo-ng for remote management; should be rare in enterprise environments
+level: high
+regression_tests_path: regression_data/rules/windows/dns_query/dns_query_win_ligolo_ng/info.yml

rules/windows/process_creation/proc_creation_win_hktl_ligolo_ng.yml

@@ -0,0 +1,40 @@
+title: HackTool - Ligolo-ng Tunneling Tool Execution
+id: 0074da8e-5b3f-456b-9bf9-70beaf4bfb0d
+status: experimental
+description: |
+    Detects execution of Ligolo-ng tunneling agent or proxy used for network pivoting. Ligolo-ng is a tool that allows attackers to create encrypted tunnels for command-and-control communication or lateral movement.
+    Threat actors may use Ligolo-ng to bypass network segmentation and access internal resources on compromised networks.
+references:
+    - https://github.com/nicocha30/ligolo-ng
+    - https://docs.ligolo.ng/
+author: MAB
+date: 2026-02-19
+
+tags:
+    - attack.command-and-control
+    - attack.t1572
+    - attack.t1090.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|contains: '\ligolo'
+        - CommandLine|contains: '\ligolo'
+    selection_agent:
+        Image|endswith: '\agent.exe'
+        CommandLine|contains:
+            - '-connect'
+            - '-ignore-cert'
+            - '-retry'
+    selection_proxy:
+        Image|endswith: '\proxy.exe'
+        CommandLine|contains:
+            - '-autocert'
+            - '-laddr'
+            - '-selfcert'
+    condition: 1 of selection_*
+falsepositives:
+    - Legitimate use of Ligolo-ng for remote management; should be rare in enterprise environments
+level: high
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_ligolo_ng/info.yml