Process Initiated Network Connection To Ngrok Domain

calendar Feb 12, 2024 · attack.exfiltration attack.t1567.001  ·
Share on: linkedin copy

Detects an executable initiating a network connection to "ngrok" domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.

Sigma rule (View on GitHub)

 1title: Process Initiated Network  Connection To Ngrok Domain
 2id: 18249279-932f-45e2-b37a-8925f2597670
 3related:
 4    - id: 1d08ac94-400d-4469-a82f-daee9a908849
 5      type: similar
 6status: test
 7description: |
 8    Detects an executable initiating a network connection to "ngrok" domains.
 9    Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
10    While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.    
11references:
12    - https://ngrok.com/
13    - https://ngrok.com/blog-post/new-ngrok-domains
14    - https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/
15    - https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf
16author: Florian Roth (Nextron Systems)
17date: 2022/07/16
18modified: 2023/11/17
19tags:
20    - attack.exfiltration
21    - attack.t1567.001
22logsource:
23    category: network_connection
24    product: windows
25detection:
26    selection:
27        Initiated: 'true'
28        DestinationHostname|endswith:
29            - '.ngrok-free.app'
30            - '.ngrok-free.dev'
31            - '.ngrok.app'
32            - '.ngrok.dev'
33            - '.ngrok.io'
34    condition: selection
35falsepositives:
36    - Legitimate use of the ngrok service.
37# Note: The level of this rule is related to your internal policy.
38level: high

References

  • ngrok | Unified Application Delivery Platform for Developers

    ngrok is a secure unified ingress platform that combines your global server load balancing, reverse proxy, firewall, API gateway and Kubernetes Ingress Controller to deliver applications and APIs.


    Read More

  • ngrok blog: New ngrok domains now available

    We’re excited to announce the release of new ngrok domains for free and paid users. These new domains automatically route your traffic to the nearest available region on the ngrok Global Network, providing you and your users with faster speeds and a smoother experience.


    Read More

  • VirusTotal

    VirusTotal


    Read More

  • ³‹�—™�œŒ\dge#K=™™Š´´ $%¥ .6Ñ‘q�é‰q)ÈJËFq^ ªËª1vø(Lošˆ¹Ó§bÙ‚9XÓÊ?oþúåópà¹-xïÒ1ܺú9~¾ýîÞún|ÿ!~ºòGÜ»ñ¥â§?ãÛ¿þ^:„Ó¶àÒ©=øÛ'pó»OpçÚ—¸öí§8°w š§ŒByI6vïÚŠÏ>û7o]Wܼ†k×®âê•ïqåûopõûoqçÖuÅÍqûÆ÷¸w÷ŠBí´...


    Read More

Related rules

to-top