Detectionhightest
Process Initiated Network Connection To Ngrok Domain
Detects an executable initiating a network connection to "ngrok" domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems)Created Sat Jul 16Updated Wed Jul 3018249279-932f-45e2-b37a-8925f2597670windows
Log Source
WindowsNetwork Connection
ProductWindows← raw: windows
CategoryNetwork Connection← raw: network_connection
Events for outbound and inbound network connections including DNS resolution.
Detection Logic
Detection Logic1 selector
detection:
selection:
Initiated: 'true'
DestinationHostname|endswith:
- '.ngrok-free.app'
- '.ngrok-free.dev'
- '.ngrok.app'
- '.ngrok.dev'
- '.ngrok.io'
condition: selectionFalse Positives
Legitimate use of the ngrok service.
MITRE ATT&CK
Rule Metadata
Rule ID
18249279-932f-45e2-b37a-8925f2597670
Status
test
Level
high
Type
Detection
Created
Sat Jul 16
Modified
Wed Jul 30
Path
rules/windows/network_connection/net_connection_win_domain_ngrok.yml
Raw Tags
attack.exfiltrationattack.command-and-controlattack.t1567attack.t1572attack.t1102