Communication To Ngrok Domains

calendar Nov 17, 2023 · attack.exfiltration attack.t1567.001  ·
Share on: linkedin copy

Detects an executable accessing ngrok domains, which could be a sign of forbidden data exfiltration by malicious actors

Sigma rule (View on GitHub)

 1title: Communication To Ngrok Domains
 2id: 18249279-932f-45e2-b37a-8925f2597670
 3status: test
 4description: Detects an executable accessing ngrok domains, which could be a sign of forbidden data exfiltration by malicious actors
 5references:
 6    - https://ngrok.com/
 7    - https://ngrok.com/blog-post/new-ngrok-domains
 8    - https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/
 9    - https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf
10author: Florian Roth (Nextron Systems)
11date: 2022/07/16
12modified: 2023/11/17
13tags:
14    - attack.exfiltration
15    - attack.t1567.001
16logsource:
17    category: network_connection
18    product: windows
19detection:
20    selection:
21        Initiated: 'true'
22        DestinationHostname|endswith:
23            - '.ngrok-free.app'
24            - '.ngrok-free.dev'
25            - '.ngrok.app'
26            - '.ngrok.dev'
27            - '.ngrok.io'
28    condition: selection
29falsepositives:
30    - Legitimate use of ngrok domains
31level: high

References

  • ngrok | Unified Application Delivery Platform for Developers

    ngrok is a secure unified ingress platform that combines your global server load balancing, reverse proxy, firewall, API gateway and Kubernetes Ingress Controller to deliver applications and APIs.


    Read More

  • ngrok blog: New ngrok domains now available

    We’re excited to announce the release of new ngrok domains for free and paid users. These new domains automatically route your traffic to the nearest available region on the ngrok Global Network, providing you and your users with faster speeds and a smoother experience.


    Read More

  • VirusTotal

    VirusTotal


    Read More

  • ³‹�—™�œŒ\dge#K=™™Š´´ $%¥ .6Ñ‘q�é‰q)ÈJËFq^ ªËª1vø(Lošˆ¹Ó§bÙ‚9XÓÊ?oþúåópà¹-xïÒ1ܺú9~¾ýîÞún|ÿ!~ºòGÜ»ñ¥â§?ãÛ¿þ^:„Ó¶àÒ©=øÛ'pó»OpçÚ—¸öí§8°w š§ŒByI6vïÚŠÏ>û7o]Wܼ†k×®âê•ïqåûopõûoqçÖuÅÍqûÆ÷¸w÷ŠBí´...


    Read More

Related rules

to-top