Communication To Ngrok Tunneling Service Initiated

 1title: Communication To Ngrok Tunneling Service Initiated
 2id: 1d08ac94-400d-4469-a82f-daee9a908849
 3related:
 4    - id: 18249279-932f-45e2-b37a-8925f2597670
 5      type: similar
 6status: test
 7description: |
 8    Detects an executable initiating a network connection to "ngrok" tunneling domains.
 9    Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
10    While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.    
11references:
12    - https://twitter.com/hakluke/status/1587733971814977537/photo/1
13    - https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent
14author: Florian Roth (Nextron Systems)
15date: 2022-11-03
16modified: 2024-02-02
17tags:
18    - attack.exfiltration
19    - attack.command-and-control
20    - attack.t1567
21    - attack.t1568.002
22    - attack.t1572
23    - attack.t1090
24    - attack.t1102
25    - attack.s0508
26logsource:
27    category: network_connection
28    product: windows
29detection:
30    selection:
31        DestinationHostname|contains:
32            - 'tunnel.us.ngrok.com'
33            - 'tunnel.eu.ngrok.com'
34            - 'tunnel.ap.ngrok.com'
35            - 'tunnel.au.ngrok.com'
36            - 'tunnel.sa.ngrok.com'
37            - 'tunnel.jp.ngrok.com'
38            - 'tunnel.in.ngrok.com'
39    condition: selection
40falsepositives:
41    - Legitimate use of the ngrok service.
42level: high