eBook

Modern Threat Hunting

Modern Threat Hunting

10 Practical Steps to Outsmart Adversaries

10 Practical Steps to Outsmart Adversaries

A Hands-On Guide Using Hunt.io’s Threat Intelligence Platform

Get the Free eBook

Get the Free eBook

Ligolo-ng

Ligolo-ng

Ligolo-ng

Ligolo-ng is a tunneling and pivoting tool to access internal networks through reverse TCP/TLS connections. Unlike SOCKS proxies, it uses a TUN interface to route traffic within compromised environments. This is very useful for security professionals to do penetration tests as it allows for efficient lateral movement and network exploration.

Key Insights

Key Insights

Ligolo-ng has several features that makes it useful for security assessments. It has a simple UI with agent selection and network info display, so it’s easy to use for both noobs and pros. It supports automatic certificate config with Let’s Encrypt so you don’t have to manage certificates manually. It also has multiplexing capabilities so you can have multiple connections over a single tunnel and doesn’t require elevated privs to work. The agent is compatible with multiple platforms so it’s versatile in different network environments.

Use in Offensive Security

In offensive security scenarios Ligolo-ng is used to establish tunnels from compromised machines back to the attacker’s infrastructure. This allows the attacker to pivot into internal networks, do reconnaissance and exploit additional systems. It can create a userland network stack using gVisor so you can run Nmap without proxychains and simplify/accelerate the assessment.

Detection and Mitigation Challenges

Although used in legitimate penetration testing, Ligolo-ng can be used by malicious actors so detection challenges. The use of TLS and legitimate looking traffic patterns makes it hard for traditional security solutions to detect unauthorized usage. Security teams must use advanced monitoring techniques like anomaly based detection and behavioral analysis to detect and mitigate Ligolo-ng abuse.

Known Variants

Known Variants

No specific variants of Ligolo-ng are documented. Since it’s open source, it can be modified, and security professionals should be aware of customized versions that may have different behavior.

No specific variants of Ligolo-ng are documented. Since it’s open source, it can be modified, and security professionals should be aware of customized versions that may have different behavior.

Mitigation Strategies

Mitigation Strategies

  • Implement advanced network monitoring to detect tunneling traffic.

  • Use endpoint protection solutions that can detect and block Ligolo-ng.

  • Do regular threat hunting to find potential misuse of legitimate tools in your environment.

  • Educate users about phishing and social engineering risks that can lead to the deployment of such tools.

Targeted Industries or Sectors

Targeted Industries or Sectors

Ligolo-ng itself is a tool and doesn’t target industries. But when used by threat actors it can be used across different sectors. For example there was an instance where Ligolo-ng was used in a campaign that targeted organizations by impersonating Y Combinator brand to establish credibility and deceive victims.

Ligolo-ng itself is a tool and doesn’t target industries. But when used by threat actors it can be used across different sectors. For example there was an instance where Ligolo-ng was used in a campaign that targeted organizations by impersonating Y Combinator brand to establish credibility and deceive victims.

Associated Threat Actors

Associated Threat Actors

Although Ligolo-ng is a legitimate tool for security assessments, it has been used by threat actors. In one instance it was used with Sliver C2 framework in an operation that targeted entities by impersonating Y Combinator brand. So, monitor for unauthorized use of such tools in your network.

Although Ligolo-ng is a legitimate tool for security assessments, it has been used by threat actors. In one instance it was used with Sliver C2 framework in an operation that targeted entities by impersonating Y Combinator brand. So, monitor for unauthorized use of such tools in your network.

References

    Related Posts:

    ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
    Jul 2, 2024

    ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America

    ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
    Jul 2, 2024

    ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America

    ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
    Jul 2, 2024

    ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America

    Detecting IOX, FRP, Rakshasa, and Stowaway Proxies Using Hunt.io
    May 8, 2025

    Unmasking Proxy Infrastructure: How to Detect IOX, FRP, Rakshasa Proxies with Hunt.io

    Detecting IOX, FRP, Rakshasa, and Stowaway Proxies Using Hunt.io
    May 8, 2025

    Unmasking Proxy Infrastructure: How to Detect IOX, FRP, Rakshasa Proxies with Hunt.io

    Detecting IOX, FRP, Rakshasa, and Stowaway Proxies Using Hunt.io
    May 8, 2025

    Unmasking Proxy Infrastructure: How to Detect IOX, FRP, Rakshasa Proxies with Hunt.io

    Tracking Pyramid C2: Identifying Post-Exploitation Servers in Hunt
    Feb 12, 2025

    Tracking Pyramid C2: Identifying Post-Exploitation Servers in Hunt

    Tracking Pyramid C2: Identifying Post-Exploitation Servers in Hunt
    Feb 12, 2025

    Tracking Pyramid C2: Identifying Post-Exploitation Servers in Hunt

    Tracking Pyramid C2: Identifying Post-Exploitation Servers in Hunt
    Feb 12, 2025

    Tracking Pyramid C2: Identifying Post-Exploitation Servers in Hunt