Process Initiated Network Connection To Ngrok Domain

 1title: Process Initiated Network  Connection To Ngrok Domain
 2id: 18249279-932f-45e2-b37a-8925f2597670
 3related:
 4    - id: 1d08ac94-400d-4469-a82f-daee9a908849
 5      type: similar
 6status: test
 7description: |
 8    Detects an executable initiating a network connection to "ngrok" domains.
 9    Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
10    While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.    
11references:
12    - https://ngrok.com/
13    - https://ngrok.com/blog-post/new-ngrok-domains
14    - https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/
15    - https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf
16author: Florian Roth (Nextron Systems)
17date: 2022-07-16
18modified: 2023-11-17
19tags:
20    - attack.exfiltration
21    - attack.t1567.001
22logsource:
23    category: network_connection
24    product: windows
25detection:
26    selection:
27        Initiated: 'true'
28        DestinationHostname|endswith:
29            - '.ngrok-free.app'
30            - '.ngrok-free.dev'
31            - '.ngrok.app'
32            - '.ngrok.dev'
33            - '.ngrok.io'
34    condition: selection
35falsepositives:
36    - Legitimate use of the ngrok service.
37# Note: The level of this rule is related to your internal policy.
38level: high

References

• ngrok | API Gateway, IoT Device Gateway, Secure Tunnels for Containers, Apps & APIs

  

  ngrok is a secure ingress platform that enables developers to add global server load balancing, reverse proxy, firewall, API gateway and Kubernetes Ingress to applications and APIs.

  
  Read More

• ngrok blog: New ngrok domains now available

  

  Announcing new ngrok domains for free and paid users. Automatically route traffic to the nearest region, providing visitors with a faster experience.

  
  Read More

• VirusTotal

  VirusTotal

  
  Read More

• ³‹�—™�œŒ\dge#K=™™Š´´ $%¥ .6Ñ‘q�é‰q)ÈJËFq^ ªËª1vø(Lošˆ¹Ó§bÙ‚9XÓÊ?oþúåópà¹-xïÒ1ܺú9~¾ýîÞún|ÿ!~ºòGÜ»ñ¥â§?ãÛ¿þ
  ^:„Ó¶àÒ©=øÛ'pó»OpçÚ—¸öí§8°wš§ŒByI6vïÚŠÏ>û7o]Wܼ†k×®âê•ïqåûopõûoqçÖuÅÍqûÆ÷¸w÷ŠBí´...

  
  Read More

Related rules

• Network Connection Initiated To Cloudflared Tunnels Domains
• Network Connection Initiated To Mega.nz
• APT40 Dropbox Tool User Agent
• AWS EC2 VM Export Failure
• AWS RDS Master Password Change