Process Initiated Network Connection To Ngrok Domain
Detects an executable initiating a network connection to "ngrok" domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
Sigma rule (View on GitHub)
1title: Process Initiated Network Connection To Ngrok Domain
2id: 18249279-932f-45e2-b37a-8925f2597670
3related:
4 - id: 1d08ac94-400d-4469-a82f-daee9a908849
5 type: similar
6status: test
7description: |
8 Detects an executable initiating a network connection to "ngrok" domains.
9 Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
10 While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
11references:
12 - https://ngrok.com/
13 - https://ngrok.com/blog-post/new-ngrok-domains
14 - https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/
15 - https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf
16author: Florian Roth (Nextron Systems)
17date: 2022/07/16
18modified: 2023/11/17
19tags:
20 - attack.exfiltration
21 - attack.t1567.001
22logsource:
23 category: network_connection
24 product: windows
25detection:
26 selection:
27 Initiated: 'true'
28 DestinationHostname|endswith:
29 - '.ngrok-free.app'
30 - '.ngrok-free.dev'
31 - '.ngrok.app'
32 - '.ngrok.dev'
33 - '.ngrok.io'
34 condition: selection
35falsepositives:
36 - Legitimate use of the ngrok service.
37# Note: The level of this rule is related to your internal policy.
38level: high
References
Related rules
- Network Connection Initiated To DevTunnels Domain
- Network Connection Initiated To Mega.nz
- Network Connection Initiated To Visual Studio Code Tunnels Domain
- Communication To Ngrok Tunneling Service Initiated
- Active Directory Structure Export Via Ldifde.EXE