Detection rules › Sigma
Communication To Ngrok Tunneling Service Initiated
Detects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Command & Control | T1090 Proxy, T1102 Web Service, T1568.002 Dynamic Resolution: Domain Generation Algorithms, T1572 Protocol Tunneling |
| Exfiltration | T1567 Exfiltration Over Web Service |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 3 | Network connection |
Stages and Predicates
Stage 1: selection
or:
DestinationHostname|contains: tunnel.ap.ngrok.com
DestinationHostname|contains: tunnel.au.ngrok.com
DestinationHostname|contains: tunnel.eu.ngrok.com
DestinationHostname|contains: tunnel.in.ngrok.com
DestinationHostname|contains: tunnel.jp.ngrok.com
DestinationHostname|contains: tunnel.sa.ngrok.com
DestinationHostname|contains: tunnel.us.ngrok.com
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
DestinationHostname | match |
|