EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Process Initiated Network Connection To Ngrok Domain

Detects an executable initiating a network connection to "ngrok" domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.

MITRE ATT&CK

T1567T1572T1102
exfiltrationcommand-and-control

Detection Query

selection:
  Initiated: "true"
  DestinationHostname|endswith:
    - .ngrok-free.app
    - .ngrok-free.dev
    - .ngrok.app
    - .ngrok.dev
    - .ngrok.io
condition: selection

Author

Florian Roth (Nextron Systems)

Created

2022-07-16

Data Sources

windowsNetwork Connection Events

Platforms

windows

References

Tags

attack.exfiltrationattack.command-and-controlattack.t1567attack.t1572attack.t1102
Raw Content
title: Process Initiated Network Connection To Ngrok Domain
id: 18249279-932f-45e2-b37a-8925f2597670
related:
    - id: 1d08ac94-400d-4469-a82f-daee9a908849
      type: similar
status: test
description: |
    Detects an executable initiating a network connection to "ngrok" domains.
    Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
    While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
references:
    - https://ngrok.com/
    - https://ngrok.com/blog-post/new-ngrok-domains
    - https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/
    - https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf
author: Florian Roth (Nextron Systems)
date: 2022-07-16
modified: 2025-07-30
tags:
    - attack.exfiltration
    - attack.command-and-control
    - attack.t1567
    - attack.t1572
    - attack.t1102
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith:
            - '.ngrok-free.app'
            - '.ngrok-free.dev'
            - '.ngrok.app'
            - '.ngrok.dev'
            - '.ngrok.io'
    condition: selection
falsepositives:
    - Legitimate use of the ngrok service.
# Note: The level of this rule is related to your internal policy.
level: high