Communication To Ngrok Tunneling Service Initiated

Rule Info

Name
Communication To Ngrok Tunneling Service Initiated
Author
Florian Roth (Nextron Systems)
Description
Detects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
Reference
https://twitter.com/hakluke/status/1587733971814977537/photo/1
Date
2022-11-03 00:00:00
Modified
2024-02-02 00:00:00
Id
1d08ac94-400d-4469-a82f-daee9a908849
Tags
attack.exfiltration attack.command-and-control attack.t1567 attack.t1568.002 attack.t1572 attack.t1090 attack.t1102 attack.s0508
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=1d08ac94-400d-4469-a82f-daee9a908849

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
Nasreddine Bencherchali
Merge PR #4702 from @nasbench - Rule tuning and updates
2024-02-12
2acebc90f
frack113
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17
020fc8061
Nasreddine Bencherchali
chore: add nextron authors tag
2023-02-01
7c38a5c49
Florian Roth
Update rules/windows/network_connection/net_connection_win_ngrok_tunnel.yml
2022-11-04
d254c7a51
Florian Roth
Rule: Ngrok tunnel LNX
2022-11-03
4fcac3089
Florian Roth
Rule: Ngrok Tunnel Target
2022-11-03
e6278f839
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022