Communication To Ngrok Tunneling Service - Linux
Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
Sigma rule (View on GitHub)
1title: Communication To Ngrok Tunneling Service - Linux
2id: 19bf6fdb-7721-4f3d-867f-53467f6a5db6
3status: test
4description: Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
5references:
6 - https://twitter.com/hakluke/status/1587733971814977537/photo/1
7 - https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent
8author: Florian Roth (Nextron Systems)
9date: 2022-11-03
10tags:
11 - attack.exfiltration
12 - attack.command-and-control
13 - attack.t1567
14 - attack.t1568.002
15 - attack.t1572
16 - attack.t1090
17 - attack.t1102
18 - attack.s0508
19logsource:
20 product: linux
21 category: network_connection
22detection:
23 selection:
24 DestinationHostname|contains:
25 - 'tunnel.us.ngrok.com'
26 - 'tunnel.eu.ngrok.com'
27 - 'tunnel.ap.ngrok.com'
28 - 'tunnel.au.ngrok.com'
29 - 'tunnel.sa.ngrok.com'
30 - 'tunnel.jp.ngrok.com'
31 - 'tunnel.in.ngrok.com'
32 condition: selection
33falsepositives:
34 - Legitimate use of ngrok
35level: high
References
Related rules
- Communication To Ngrok Tunneling Service Initiated
- Cloudflared Tunnel Connections Cleanup
- Cloudflared Tunnel Execution
- Communication To LocaltoNet Tunneling Service Initiated
- Communication To LocaltoNet Tunneling Service Initiated - Linux