Detectionhightest
Communication To Ngrok Tunneling Service - Linux
Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
LinuxNetwork Connection
ProductLinux← raw: linux
CategoryNetwork Connection← raw: network_connection
Events for outbound and inbound network connections including DNS resolution.
Detection Logic
Detection Logic1 selector
detection:
selection:
DestinationHostname|contains:
- 'tunnel.us.ngrok.com'
- 'tunnel.eu.ngrok.com'
- 'tunnel.ap.ngrok.com'
- 'tunnel.au.ngrok.com'
- 'tunnel.sa.ngrok.com'
- 'tunnel.jp.ngrok.com'
- 'tunnel.in.ngrok.com'
condition: selectionFalse Positives
Legitimate use of ngrok
MITRE ATT&CK
Rule Metadata
Rule ID
19bf6fdb-7721-4f3d-867f-53467f6a5db6
Status
test
Level
high
Type
Detection
Created
Thu Nov 03
Path
rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml
Raw Tags
attack.exfiltrationattack.command-and-controlattack.t1567attack.t1568.002attack.t1572attack.t1090attack.t1102attack.s0508