Communication To Ngrok Tunneling Service - Linux

calendar Oct 17, 2023 · attack.exfiltration attack.command_and_control attack.t1567 attack.t1568.002 attack.t1572 attack.t1090 attack.t1102 attack.s0508  ·
Share on: linkedin copy

Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors

Sigma rule (View on GitHub)

 1title: Communication To Ngrok Tunneling Service - Linux
 2id: 19bf6fdb-7721-4f3d-867f-53467f6a5db6
 3status: test
 4description: Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
 5references:
 6    - https://twitter.com/hakluke/status/1587733971814977537/photo/1
 7    - https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent
 8author: Florian Roth (Nextron Systems)
 9date: 2022/11/03
10tags:
11    - attack.exfiltration
12    - attack.command_and_control
13    - attack.t1567
14    - attack.t1568.002
15    - attack.t1572
16    - attack.t1090
17    - attack.t1102
18    - attack.s0508
19logsource:
20    product: linux
21    category: network_connection
22detection:
23    selection:
24        DestinationHostname|contains:
25            - 'tunnel.us.ngrok.com'
26            - 'tunnel.eu.ngrok.com'
27            - 'tunnel.ap.ngrok.com'
28            - 'tunnel.au.ngrok.com'
29            - 'tunnel.sa.ngrok.com'
30            - 'tunnel.jp.ngrok.com'
31            - 'tunnel.in.ngrok.com'
32    condition: selection
33falsepositives:
34    - Legitimate use of ngrok
35level: high

References

Related rules

to-top