EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Communication To Ngrok Tunneling Service Initiated

Detects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.

MITRE ATT&CK

T1567T1568.002T1572T1090T1102S0508
exfiltrationcommand-and-control

Detection Query

selection:
  DestinationHostname|contains:
    - tunnel.us.ngrok.com
    - tunnel.eu.ngrok.com
    - tunnel.ap.ngrok.com
    - tunnel.au.ngrok.com
    - tunnel.sa.ngrok.com
    - tunnel.jp.ngrok.com
    - tunnel.in.ngrok.com
condition: selection

Author

Florian Roth (Nextron Systems)

Created

2022-11-03

Data Sources

windowsNetwork Connection Events

Platforms

windows

References

Tags

attack.exfiltrationattack.command-and-controlattack.t1567attack.t1568.002attack.t1572attack.t1090attack.t1102attack.s0508
Raw Content
title: Communication To Ngrok Tunneling Service Initiated
id: 1d08ac94-400d-4469-a82f-daee9a908849
related:
    - id: 18249279-932f-45e2-b37a-8925f2597670
      type: similar
status: test
description: |
    Detects an executable initiating a network connection to "ngrok" tunneling domains.
    Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
    While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
references:
    - https://twitter.com/hakluke/status/1587733971814977537/photo/1
    - https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent
author: Florian Roth (Nextron Systems)
date: 2022-11-03
modified: 2024-02-02
tags:
    - attack.exfiltration
    - attack.command-and-control
    - attack.t1567
    - attack.t1568.002
    - attack.t1572
    - attack.t1090
    - attack.t1102
    - attack.s0508
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationHostname|contains:
            - 'tunnel.us.ngrok.com'
            - 'tunnel.eu.ngrok.com'
            - 'tunnel.ap.ngrok.com'
            - 'tunnel.au.ngrok.com'
            - 'tunnel.sa.ngrok.com'
            - 'tunnel.jp.ngrok.com'
            - 'tunnel.in.ngrok.com'
    condition: selection
falsepositives:
    - Legitimate use of the ngrok service.
level: high