Process Initiated Network Connection To Ngrok Domain

calendar Jul 30, 2025 · attack.exfiltration attack.command-and-control attack.t1567 attack.t1572 attack.t1102  ·
Share on: linkedin copy

Detects an executable initiating a network connection to "ngrok" domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.

Sigma rule (View on GitHub)

 1title: Process Initiated Network Connection To Ngrok Domain
 2id: 18249279-932f-45e2-b37a-8925f2597670
 3related:
 4    - id: 1d08ac94-400d-4469-a82f-daee9a908849
 5      type: similar
 6status: test
 7description: |
 8    Detects an executable initiating a network connection to "ngrok" domains.
 9    Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
10    While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.    
11references:
12    - https://ngrok.com/
13    - https://ngrok.com/blog-post/new-ngrok-domains
14    - https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/
15    - https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf
16author: Florian Roth (Nextron Systems)
17date: 2022-07-16
18modified: 2025-07-30
19tags:
20    - attack.exfiltration
21    - attack.command-and-control
22    - attack.t1567
23    - attack.t1572
24    - attack.t1102
25logsource:
26    category: network_connection
27    product: windows
28detection:
29    selection:
30        Initiated: 'true'
31        DestinationHostname|endswith:
32            - '.ngrok-free.app'
33            - '.ngrok-free.dev'
34            - '.ngrok.app'
35            - '.ngrok.dev'
36            - '.ngrok.io'
37    condition: selection
38falsepositives:
39    - Legitimate use of the ngrok service.
40# Note: The level of this rule is related to your internal policy.
41level: high

References

  • ngrok | API Gateway, Kubernetes Ingress, Webhook Gateway

    ngrok simplifies app delivery by unifying API gateway, Kubernetes ingress, multi-cluster load balancing and more with ngrok's Universal Gateway.


    Read More

  • New ngrok domains now available - ngrok

    Announcing new ngrok domains for free and paid users. Automatically route traffic to the nearest region, providing visitors with a faster experience.


    Read More

  • VirusTotal

    VirusTotal


    Read More

  • ³‹�—™�œŒ\dge#K=™™Š´´ $%¥ .6Ñ‘q�é‰q)ÈJËFq^ ªËª1vø(Lošˆ¹Ó§bÙ‚9XÓÊ?oþúåópà¹-xïÒ1ܺú9~¾ýîÞún|ÿ!~ºòGÜ»ñ¥â§?ãÛ¿þ^:„Ó¶àÒ©=øÛ'pó»OpçÚ—¸öí§8°w š§ŒByI6vïÚŠÏ>û7o]Wܼ†k×®âê•ïqåûopõûoqçÖuÅÍqûÆ÷¸w÷ŠBí´...


    Read More

Related rules

to-top