Communication To Ngrok Tunneling Service Initiated

Detects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.

Sigma rule (View on GitHub)

 1title: Communication To Ngrok Tunneling Service Initiated
 2id: 1d08ac94-400d-4469-a82f-daee9a908849
 3related:
 4    - id: 18249279-932f-45e2-b37a-8925f2597670
 5      type: similar
 6status: test
 7description: |
 8    Detects an executable initiating a network connection to "ngrok" tunneling domains.
 9    Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
10    While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.    
11references:
12    - https://twitter.com/hakluke/status/1587733971814977537/photo/1
13    - https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent
14author: Florian Roth (Nextron Systems)
15date: 2022-11-03
16modified: 2024-02-02
17tags:
18    - attack.exfiltration
19    - attack.command-and-control
20    - attack.t1567
21    - attack.t1568.002
22    - attack.t1572
23    - attack.t1090
24    - attack.t1102
25    - attack.s0508
26logsource:
27    category: network_connection
28    product: windows
29detection:
30    selection:
31        DestinationHostname|contains:
32            - 'tunnel.us.ngrok.com'
33            - 'tunnel.eu.ngrok.com'
34            - 'tunnel.ap.ngrok.com'
35            - 'tunnel.au.ngrok.com'
36            - 'tunnel.sa.ngrok.com'
37            - 'tunnel.jp.ngrok.com'
38            - 'tunnel.in.ngrok.com'
39    condition: selection
40falsepositives:
41    - Legitimate use of the ngrok service.
42level: high

References

Related rules

to-top