Communication To Ngrok Tunneling Service Initiated
Detects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
Sigma rule (View on GitHub)
1title: Communication To Ngrok Tunneling Service Initiated
2id: 1d08ac94-400d-4469-a82f-daee9a908849
3related:
4 - id: 18249279-932f-45e2-b37a-8925f2597670
5 type: similar
6status: test
7description: |
8 Detects an executable initiating a network connection to "ngrok" tunneling domains.
9 Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
10 While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
11references:
12 - https://twitter.com/hakluke/status/1587733971814977537/photo/1
13 - https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent
14author: Florian Roth (Nextron Systems)
15date: 2022/11/03
16modified: 2024/02/02
17tags:
18 - attack.exfiltration
19 - attack.command_and_control
20 - attack.t1567
21 - attack.t1568.002
22 - attack.t1572
23 - attack.t1090
24 - attack.t1102
25 - attack.s0508
26logsource:
27 category: network_connection
28 product: windows
29detection:
30 selection:
31 DestinationHostname|contains:
32 - 'tunnel.us.ngrok.com'
33 - 'tunnel.eu.ngrok.com'
34 - 'tunnel.ap.ngrok.com'
35 - 'tunnel.au.ngrok.com'
36 - 'tunnel.sa.ngrok.com'
37 - 'tunnel.jp.ngrok.com'
38 - 'tunnel.in.ngrok.com'
39 condition: selection
40falsepositives:
41 - Legitimate use of the ngrok service.
42level: high
References
Related rules
- Communication To Ngrok Tunneling Service - Linux
- Cloudflared Tunnel Connections Cleanup
- Cloudflared Tunnel Execution
- Potential Dead Drop Resolvers
- Suspicious Non-Browser Network Communication With Google API