Techniques
Sample rules
Communication To Ngrok Tunneling Service - Linux
- source: sigma
- technicques:
- t1090
- t1102
- t1567
- t1568
- t1568.002
- t1572
Description
Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
Detection logic
condition: selection
selection:
DestinationHostname|contains:
- tunnel.us.ngrok.com
- tunnel.eu.ngrok.com
- tunnel.ap.ngrok.com
- tunnel.au.ngrok.com
- tunnel.sa.ngrok.com
- tunnel.jp.ngrok.com
- tunnel.in.ngrok.com