Process Initiated Network Connection To Ngrok Domain

Detects an executable initiating a network connection to "ngrok" domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.

Sigma rule (View on GitHub)

 1title: Process Initiated Network  Connection To Ngrok Domain
 2id: 18249279-932f-45e2-b37a-8925f2597670
 3related:
 4    - id: 1d08ac94-400d-4469-a82f-daee9a908849
 5      type: similar
 6status: test
 7description: |
 8    Detects an executable initiating a network connection to "ngrok" domains.
 9    Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
10    While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.    
11references:
12    - https://ngrok.com/
13    - https://ngrok.com/blog-post/new-ngrok-domains
14    - https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/
15    - https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf
16author: Florian Roth (Nextron Systems)
17date: 2022-07-16
18modified: 2023-11-17
19tags:
20    - attack.exfiltration
21    - attack.t1567.001
22logsource:
23    category: network_connection
24    product: windows
25detection:
26    selection:
27        Initiated: 'true'
28        DestinationHostname|endswith:
29            - '.ngrok-free.app'
30            - '.ngrok-free.dev'
31            - '.ngrok.app'
32            - '.ngrok.dev'
33            - '.ngrok.io'
34    condition: selection
35falsepositives:
36    - Legitimate use of the ngrok service.
37# Note: The level of this rule is related to your internal policy.
38level: high

References

Related rules

to-top