Detectionhightest
Communication To Ngrok Tunneling Service Initiated
Detects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems)Created Thu Nov 03Updated Fri Feb 021d08ac94-400d-4469-a82f-daee9a908849windows
Log Source
WindowsNetwork Connection
ProductWindows← raw: windows
CategoryNetwork Connection← raw: network_connection
Events for outbound and inbound network connections including DNS resolution.
Detection Logic
Detection Logic1 selector
detection:
selection:
DestinationHostname|contains:
- 'tunnel.us.ngrok.com'
- 'tunnel.eu.ngrok.com'
- 'tunnel.ap.ngrok.com'
- 'tunnel.au.ngrok.com'
- 'tunnel.sa.ngrok.com'
- 'tunnel.jp.ngrok.com'
- 'tunnel.in.ngrok.com'
condition: selectionFalse Positives
Legitimate use of the ngrok service.
MITRE ATT&CK
Rule Metadata
Rule ID
1d08ac94-400d-4469-a82f-daee9a908849
Status
test
Level
high
Type
Detection
Created
Thu Nov 03
Modified
Fri Feb 02
Path
rules/windows/network_connection/net_connection_win_domain_ngrok_tunnel.yml
Raw Tags
attack.exfiltrationattack.command-and-controlattack.t1567attack.t1568.002attack.t1572attack.t1090attack.t1102attack.s0508